Device Code Phishing Explained—And How to Protect Against It
- Kristen Hubbard, HBS Practice Manager - Penetration Testing
- Read Time: 4 mins
In this article...
- What is device code phishing?
- How device code authentication works
- How attackers exploit the process
- Real-world example: Storm-2372
- How to protect your users and environment
Cyber crime—by and large—is subtle. One of the latest tactics, device code phishing, uses real login pages and real authentication codes to sneak into your accounts. Here’s how it works—and how to stop it.
What Is Device Code Phishing?
Device code phishing is a fairly new kind of social engineering attack that tricks users into approving unauthorized access to their accounts—on a real login page, using a real code. The scary part? There’s no fake site or suspicious link to flag. It’s all legitimate—except the intent.
This method made headlines earlier this year when Microsoft revealed a phishing campaign by a nation-state threat actor, Storm-2372, targeting Microsoft 365 users through this technique.
What Is a Device Code?
You’ve probably used one—without knowing the name.
Device code authentication is a secure, user-friendly way to log in on devices where typing credentials is a pain—like TVs, printers, gaming consoles, etc.
Instead of entering a full username and password on the device, you go to a secure website (like microsoft.com/devicelogin) on a separate device and enter a short code. The device then initiates the authentication flow, such as entering your username, password, and MFA. This binds the original device to your identity.
Simple. Convenient. Trusted.
That trust is exactly what attackers are exploiting.
How Device Code Phishing Works
In a device code phishing attack, the bad actor initiates the device login flow themselves—using a legitimate service. They get a real device code from a real service like Microsoft.
Then, they send that code to you via a phishing email or chat, asking you to go to the real Microsoft login site and type it in. Maybe they say it’s part of a Teams invite or an urgent security update.
If you do it? You just authenticated their device with your account. Now they’re inside, with your access—and possibly your role and privileges. No password stolen. No MFA prompt bypassed. Just a legitimate device, now recognized as yours.
And unless device code authentication is revoked or expires, the attacker could remain logged in—undetected—for days or weeks.
Real-World Device Code Phishing Example: Storm-2372
Microsoft linked this technique to a threat actor they call Storm-2372—believed to be a Russian state-sponsored group. Their campaign targeted government, defense, and IT service providers using fake Teams messages to launch the attack.
The link? Real
The device code? Real
The phishing message? Highly convincing
Once access was granted, Storm-2372 moved laterally, collected sensitive information, and escalated privileges—all under the radar.
Why Device Code Phishing Is So Dangerous
Most phishing education teaches users to look for fake websites, strange domains, and suspicious requests. But with device code phishing:
The site is real (like microsoft.com)
The code is real
The phishing message feels routine
That’s why device code phishing can bypass traditional defenses and user instincts.
How to Fight Against Device Code Phishing
1. Educate Your Users
Teach employees that they should initiate any login process involving device codes. If a device code arrives unexpectedly—especially via email or chat—it’s a red flag.
Ask:
- Did I start a login flow?
- Am I expecting to enter a code?
- Does the request feel out of context?
If not—don’t enter the code.
2. Use Conditional Access (Microsoft Entra)
Disable device code flow entirely for your organization if it’s not necessary. Microsoft Entra admins can do this through Conditional Access policies.
Consideration: This improves security but may impact user convenience. Weigh the tradeoffs based on risk.
3. Implement Location and IP-Based Restrictions
Geo-fencing and IP allow-lists can help ensure device code authentication only works from approved regions or networks.
4. Audit and Revoke Suspicious Sessions
Use tools like Microsoft Entra ID sign-in logs to monitor unusual sign-ins. If a device is compromised, revoke the session immediately.
5. Go Beyond MFA
Consider phishing-resistant authentication methods like certificate-based authentication or FIDO2 security keys. They’re harder to socially engineer.
Final Thoughts on Device Code Phishing
Device codes are meant to make life easier. But that convenience can open the door to stealthy, long-term compromise—especially in environments using Microsoft 365.
Attackers like Storm-2372 are betting on user trust. Your defense? Awareness, proactive policy settings, and identity monitoring.
Train your people. Tighten your controls. And never enter a device code unless you initiated it.
Need help reviewing your authentication strategy or Microsoft Entra policies?
We’ll help you stay ahead of evolving threats—without slowing your business down.
Device Code Phishing FAQs
What is device code phishing?
Device code phishing is a social engineering attack where hackers trick users into entering a legitimate device code (previously obtained by the attacker) into a real login page, thereby authorizing the attacker’s device.
How does device code authentication work?
Why is device code phishing so hard to detect?
Can I disable device code flow in Microsoft environments?
Yes. Microsoft Entra (formerly Azure AD) allows admins to block device code authentication using Conditional Access policies. Microsoft has been slowly rolling this out to all tenants.
Who is Storm-2372?
Related Content
Security Awareness, Training, and Education – A Learning Continuum
In the realm of information technology (IT) and information security, the distinction between “security awareness” and “training” is crucial. Learn why.
How a Hacker Conned an Accountant with $400,000 Phishing Attack
See how the hacker got away with a small fortune for nearly a week—and how good incident response and digital forensics work got most of it back.
Managed Security Awareness Training
Boost cybersecurity with Managed Security Awareness Training from HBS: Empower employees to combat phishing and enhance defense. Transform risk into strength.
