By IT Brew Staff
less than 3 min read
Definition:
Because device token phishing takes advantage of a legitimate authentication flow, it can prove difficult for cybersecurity teams to counter. When executed correctly, device token phishing can give an attacker access to a system and its sensitive data while sidestepping passwords, 2FA, and other security measures.
Device token phishing also requires some skill on the part of the attacker, who starts off by creating a legitimate email address, then uses an authorized authentication method (such as OAuth) to request an authorization code for a “new” device on their victim’s account. After that, the attacker includes the code in a phishing email or message that looks real (such as a meeting invite or a bank-payment confirmation), asking the victim to access the (legitimate) device login page and input that code.
When the victim inputs that code into the device login page, they authorize the attacker’s session. The attacker now has the victim’s access tokens, allowing them to access emails, files, and more.
There are some variations on device code phishing, including one discovered by Microsoft that tricks users into accessing a web page running a background automation script that generates the (legitimate) device code. While cybersecurity analysts have spotted device code phishing in the wild since at least February 2025, the rate of attacks seems to be increasing.
