Device code phishing bypasses MFA entirely

In an era of sophisticated identity attacks, many organizations focus on phishing awareness — yet miss one of the most dangerous and fastest-growing techniques: device code phishing. Unlike traditional phishing, this attack requires no fake password page. The victim logs in on a legitimate website — and still gets compromised. And in 2025 and 2026, this technique has gone from niche threat to mainstream weapon.

⚡ Key Takeaway Device code phishing bypasses MFA entirely. The attacker does not steal your credentials — they manipulate you into handing over a valid access token yourself. And now, thanks to AI-driven automation, it operates at industrial scale.

The Threat Is No Longer Theoretical This is not a future risk. It is happening now — and accelerating.

What was once limited to small-scale red-team exercises became widespread by September 2025. Multiple threat groups — including those affiliated with Russia and China — have been ramping up attacks using device code phishing to target Microsoft 365 users.

Most recently, Microsoft identified a new AI-enabled campaign using EvilTokens, a phishing-as-a-service toolkit that uses automation and dynamic code generation to bypass the standard 15-minute expiration window for device codes — marking a significant escalation in sophistication since the Storm-2372 campaign of early 2025.

The Problem: The Trusted Flow Turned Weapon The device code flow was designed for a legitimate purpose: allowing devices without a browser — such as smart TVs or printers — to authenticate through a separate device. Attackers have turned this into a weapon.

The attack works as follows:

  • The attacker initiates a device code request with Microsoft or Google
  • The victim receives a Teams message — often from a compromised colleague or external account
  • The message looks legitimate: “Can you confirm access?” or “Log in to view this document”
  • The victim is directed to microsoft.com/devicelogin — a real Microsoft page
  • The victim logs in and completes MFA as normal
  • The attacker receives a valid access token in return
  • The attacker is now authenticated as the victim — without ever knowing their password

The login is real. The page is real. The damage is real.

Critically, the tokens remain valid even after the account’s password is reset — meaning a simple password change is not enough to stop the attacker.

The Problem: Microsoft Teams as an Attack Vector Teams messages feel more trusted than email. Employees are accustomed to receiving collaboration requests through Teams — making it an ideal channel for social engineering.

Storm-2372, a group Microsoft assesses with moderate confidence aligns with Russia’s interests, has targeted victims using third-party messaging services including WhatsApp, Signal, and Microsoft Teams, posing as trusted contacts since August 2024.

In November 2025, Microsoft’s Detection and Response Team uncovered a campaign built on persistent Teams voice phishing, where a threat actor impersonated IT support and targeted multiple employees — ultimately convincing a user to grant remote access through Quick Assist.

The attack succeeded not because of a technical flaw — but because the interaction felt completely normal.

The Problem: Now Automated and AI-Driven The threat has evolved significantly in 2025 and 2026.

Threat actors are now employing phishing frameworks such as SquarePhish2 and Graphish to orchestrate attacks at scale. SquarePhish2 uses QR codes and automated redirects within the Microsoft OAuth flow, making the phishing sequence appear entirely legitimate.

Graphish, a phishing kit shared freely on hacking forums, allows attackers to create convincing phishing pages by leveraging Azure App Registrations and reverse proxy setups for adversary-in-the-middle attacks.

These tools require minimal technical skill — meaning the barrier to entry for attackers has never been lower.

The Problem: MFA Does Not Help Here Organizations invest heavily in Multi-Factor Authentication, assuming it protects against account takeover. Device code phishing exposes a critical gap.

  • The victim completes MFA themselves
  • The authentication is fully legitimate from a technical perspective
  • Security tooling sees a normal, successful login
  • The attacker gains persistent access — often for days or weeks — even after a password reset

MFA is essential — but it is not a silver bullet.

The Problem: Awareness Gaps at Every Level Lures increasingly claim to involve document sharing, token reauthorization, or security verification — with one campaign using a fake shared document titled “Salary Bonus + Employer Benefit Reports 25” to direct victims to attacker-controlled sites branded to match their organization.

Common failure points include:

  • Employees not recognizing unsolicited code or link requests in Teams
  • IT teams not monitoring for anomalous device code flow usage
  • External Teams access enabled without governance controls
  • No Conditional Access policies blocking device code authentication

The Solution: Technical and Strategic Controls To defend against device code phishing, organizations need a layered response across technology, process, and people.

Key measures include:

  • 🔒 Block device code flow in Conditional Access policies where not needed
  • 🚫 Restrict or govern external access in Microsoft Teams
  • 🔍 Monitor for unusual OAuth token issuance and sign-in patterns via microsoft.com/devicelogin
  • 🧠 Train employees to never act on unsolicited authentication requests — especially via Teams
  • 🛡️ Implement Continuous Access Evaluation to limit token validity
  • 🔑 Revoke active tokens immediately upon suspected compromise — not just reset passwords
  • 🧭 Embed identity security into governance and risk frameworks

The Solution: Independent Advisory Defending against modern identity attacks requires more than tooling. At Demiroz Consultancy B.V., we provide objective, strategic guidance based on:

  • Real-world threat scenarios including Teams-based and AI-driven attack vectors
  • Academic and technical depth
  • No commercial bias toward specific vendors

We help organizations identify where their identity security posture falls short — before attackers do.

The Strategic Choice Multiple Russia-aligned groups — including Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare — have been attributed to device code phishing attacks targeting over 340 Microsoft 365 organizations across five countries.

Organizations face a critical decision:

  • React after an identity compromise occurs
  • Or proactively close the gaps that make it possible

The window to act is narrowing. The attacks are automated, AI-assisted, and arriving via the tools your employees trust most.

Ready to Strengthen Your Identity Security? Want to understand your exposure to modern identity-based attacks? Contact Demiroz Consultancy B.V. for a strategic intake.

More insights

Cyber Risk Assessment

Understanding cyber risk is the foundation of effective cybersecurity. Modern organizations operate within increasingly complex digital ecosystems, spanning cloud environments, enterprise systems, operational technology, and interconnected supply chains. Without clear visibility into vulnerabilities and potential attack paths, it becomes difficult to prioritize investments and manage risk with precision.

At Demiroz Consultancy B.V., we deliver structured cyber risk assessments that provide a comprehensive view of an organization’s security posture, from strategic governance to operational processes and technical controls. Our assessments are designed to uncover hidden vulnerabilities, identify security gaps, and highlight areas where existing controls may be insufficient or outdated.

Our Risk Assessment Approach

  • Evaluation of cybersecurity policies and governance structures
  • Assessment of IT and operational technology security controls
  • Analysis of network architecture and system exposure
  • Review of identity and access management practices
  • Assessment of incident detection and response capabilities
  • Evaluation of third-party and supply chain risks

 

Clarity for Strategic Decision-Making

The outcome is a clear and actionable overview of the organization’s cyber risk landscape, supported by prioritized recommendations. This enables leadership to make informed, confident decisions and invest in security where it delivers the greatest strategic value.

Security Strategy & Governance

Cybersecurity is no longer just an IT responsibility, it is a critical business priority that demands strong governance and executive oversight. To remain resilient, organizations must align cybersecurity initiatives with business objectives, regulatory demands, and comprehensive risk management frameworks.

At Demiroz Consultancy B.V., we help organizations embed cybersecurity into the core of their governance and decision-making processes. Our approach ensures that security is not treated as a standalone function, but as an integral part of long-term business strategy.

We support organizations in building a solid cybersecurity foundation by establishing clear policies, defining roles and responsibilities, and implementing structures that enable effective risk management and control.

Our Governance & Strategy Services

  • Development of cybersecurity strategies aligned with business objectives
  • Design and implementation of governance structures and leadership models
  • Integration of recognized frameworks such as ISO 27001 and NIST
  • Guidance on regulatory compliance and risk management requirements
  • Creation of security policies and organization-wide guidelines

Driving Resilience Through Governance

By strengthening cybersecurity governance, organizations gain greater visibility, improved control over risks, and the confidence that their security investments contribute directly to sustainable growth and long-term resilience.

Incident Response Readiness

Cyber incidents, such as ransomware attacks, data breaches, and system disruptions, can have severe operational and financial consequences. Organizations that are not adequately prepared often struggle to respond effectively, resulting in prolonged downtime and amplified impact.

At Demiroz Consultancy B.V., we help organizations elevate their incident response readiness through structured planning, rigorous preparation, and controlled testing. Our objective is clear: to ensure your organization can respond swiftly, decisively, and with confidence when a cyber incident occurs.

Our Incident Readiness Services

  • Development of tailored incident response strategies and procedures
  • Definition of roles and responsibilities during cyber incidents
  • Establishment of communication and escalation protocols
  • Execution of advanced incident simulations and tabletop exercises
  • Evaluation and enhancement of detection and monitoring capabilities

 

Prepared for What Matters Most

Through proactive preparation and continuous refinement, organizations can significantly reduce the impact of cyber incidents, safeguarding business continuity, protecting critical operations, and reinforcing long-term resilience.

Critical Infrastructure & Operational Technology Security

Organizations operating critical infrastructure and industrial environments face a distinct set of cybersecurity challenges. Operational technology (OT) systems, including industrial control systems, manufacturing platforms, and energy infrastructure, were not originally designed with cybersecurity as a priority. As these environments become increasingly interconnected, their exposure to cyber threats grows significantly.

At Demiroz Consultancy B.V., we provide specialized advisory services focused on enhancing the security and resilience of operational technology environments. Our approach balances robust cybersecurity with the essential need for operational safety, continuity, and reliability.

Our OT Security Services

  • Security assessments of industrial control systems and OT networks
  • Evaluation of segmentation between IT and OT environments
  • Identification of vulnerabilities within industrial systems and processes
  • Development of tailored security strategies for critical infrastructure
  • Guidance on implementing industry standards and best practices

 

Resilience Where It Matters Most

By strengthening the cybersecurity posture of OT environments, organizations can significantly reduce the risk of disruptions that impact production, safety, and essential services, ensuring continuity in even the most critical operations.

Cybersecurity Advisory for Leadership

Cybersecurity decisions increasingly require executive-level insight and strategic oversight. Board members and senior leadership must understand cyber risks to make informed decisions regarding investments, risk appetite, and regulatory obligations.

At Demiroz Consultancy B.V., we provide independent advisory services for executives and leadership teams seeking clear, strategic cybersecurity guidance. Our approach focuses on translating complex technical risks into business-relevant insights that enable confident and effective decision-making.

Our Advisory Services

  • Strategic cyber risk briefings for executive leadership
  • Board-level cybersecurity advisory
  • Security maturity assessments and improvement roadmaps
  • Independent reviews of cybersecurity programs and initiatives

 

From Insight to Impact

By equipping leadership with clear and actionable insights, organizations can ensure that cybersecurity becomes a fully integrated component of overall business strategy and long-term success.

Continuous Security Improvement

Cybersecurity is not a one-time initiative, it is a continuous, evolving discipline. As organizations grow and technologies advance, the threat landscape shifts accordingly. Sustained resilience therefore requires ongoing monitoring, evaluation, and refinement of security capabilities.

At Demiroz Consultancy B.V., we support organizations in establishing long-term cybersecurity improvement programs designed to maintain and elevate their security posture over time. Our approach combines strategic oversight with practical execution, ensuring that security evolves in parallel with the business.

These programs may include periodic assessments, strategic reviews, and expert guidance on the implementation of new security initiatives, all tailored to the organization’s maturity and ambitions.

Sustainable Security Excellence

Our objective is clear: to ensure that organizations remain prepared for emerging threats while maintaining operational efficiency and full regulatory compliance. By embedding continuous improvement into cybersecurity, organizations create a resilient foundation for long-term success.