Executive Summary
- Device code phishing is a cyberattack that exploits Microsoft’s device code authentication, tricking you into granting access to email, cloud apps, and data – no password needed.
- A group known as ‘Storm-2372’ has been using this tactic to obtain authentication tokens, which are basically the keys to user accounts, giving them access to emails, cloud apps, and other business-critical data.
- In this article we’ll break down how device code phishing works, who’s behind the recent campaigns, and – most importantly – how you can stop them in their tracks.
Introduction
It’s easy to assume that the biggest cyberattacks target the biggest companies.
There was a time that may have been true, but today, with so many companies relying on cloud-based systems, cybercriminals are going after… pretty much everyone.
One of the biggest risks right now comes from a relatively new attack vector called device code phishing. Microsoft itself has been tracking a cybercrime group called “Storm-2372” which uses this type of attack as its weapon of choice.
Here’s everything you need to know about this new threat – and how to mitigate it.
What is device code phishing?
Device code phishing abuses Microsoft’s device code authentication flow. If you’ve ever signed into a cloud service on something like a smart TV or a printer, you’ll already be familiar with how it works.
Instead of typing a password on the device itself, (usually because they don’t have keyboards or are too clunky to be efficient), users go to a separate login page on their phone or laptop, enter a short code, authenticate, and access their account.
Scammers like Storm-2372 exploit this process by sending phishing emails or fake meeting invites that contain a real-looking code. When a user enters it on a legitimate Microsoft page, they unknowingly approve their device instead of yours.
Once they’re in, they stay in. These authentication tokens stay valid for a while, meaning attackers can keep coming back without needing your password.
How a device code phishing attack happens, step by step
Device code phishing is similar to MFA phishing in that it intercepts an authentication code on a third-party device like a smartphone. But how does it work in the real world?
Here’s an example of how a device code phishing attack might play out.
1. The bait
First, you’ll get an email, WhatsApp, or Microsoft Teams message from what looks like a trusted colleague. It might say: “Hey [Your Name], I’ve set up a quick Teams meeting. Just log in here before joining: [malicious link]”
2. Fake page, real code
That link takes you to a convincing (but very much fake) Microsoft Teams page. It instructs you to enter a device code to verify your identity.
3. You enter the code (on a real Microsoft site)
The code looks legitimate, so you go to https://microsoft.com/devicelogin and enter it. The bit you don’t know? That code was actually generated by the hacker, and you’ve just unwittingly granted access to their device.
4. The hacker gets into your account
Boom. Microsoft now treats their device as yours. They can now read your emails and access your Microsoft 365 apps (OneDrive, SharePoint, Teams, etc.), download sensitive files, and even send phishing emails posing as you to attack others in your company.
5. They move deeper into your business
Now that they’re in your inbox, they start impersonating you – phishing your colleagues, searching for passwords, and digging into confidential documents.
6. They register their own device for long-term access
Malicious actors have been known to register their own device in Microsoft Entra ID (formerly Azure AD). This means they can keep accessing your systems even if you change your password.
Once they’re in, they don’t need to phish you again, because they already have the keys.
How to protect your business
Admittedly, everything we’ve covered so far probably sounds pretty concerning – but don’t worry. With the right measures in place, you can mitigate the risk of device code phishing for your business and your individual team members.
Here are 5 ways to do just that.
1. Turn off device code authentication (if you don’t need it)
The easiest way to avoid device codes from being exploited is to turn them off altogether. If you don’t use Microsoft’s device code flow, you can disable it in Microsoft Entra ID. If you really must use it, restrict it to trusted locations and devices. Here’s a guide on how to do that, but our team is also here to help.
2. Train employees to spot phishing attempts
As always, the human element will often be the weakest link in the chain. Phishing attempts commonly look like last-minute meeting invites or urgent sign-in requests, so it’s wise to train employees to verify before clicking any login request.
3. Use phishing-resistant MFA
Even though device code phishing bypasses basic MFA, strong passwordless authentication methods (like Microsoft Authenticator passkeys or FIDO2 security keys) make it much harder for attackers to gain persistent access.
4. Watch for suspicious logins – and shut them down fast
Be sure to turn on “sign-in risk” policies in Microsoft Entra ID to detect and flag unusual logins. If your team spots a suspicious device code sign-in, have them revoke the user session immediately. Again, here’s a guide on how to do this, but feel free to ask our team for assistance.
5. Use Conditional Access to block risky logins
Finally, we recommend setting up Conditional Access policies to automatically block or challenge logins from unfamiliar locations, devices, or multiple failed attempts. More info on that is available here.
Want more expert advice on keeping your business safe?
The steps we’ve covered above should give you a solid grounding to mitigate the risk of device code phishing, but it’s an ever-present threat.
There are other ways you can improve your cybersecurity posture outside of these newer MFA phishing techniques, so if you’d like any advice from our team of experts, just ask your Customer Success Manager or call the team today on 01865 594000.