What is device token phishing?

Maybe you’re trying to sign into Netflix on your Airbnb TV and you’re tired of typing your super-secure 25-character password with the remote. That’s when a device code—a six- to 12-digit password that you can type into a laptop or other device to gain access—comes in handy.

Recent industry reports have revealed a spike in device code phishing—not with your favorite movie app, but Microsoft environments like Office 365 and Entra ID. And the tactic is a tricky one to stop, because it takes advantage of a legitimate authentication flow.

The threat. Attackers trick targets into inputting the attacker’s device code, which links the attacker’s session to the victim’s account.

Step 1. An attacker spins up a legitimate email address. Next, they initiate a device authentication request, specifically to add a device to a target’s existing account. Why does this work? The flow banks on an already trusted device (and its tricked user) authenticating. “Multi-factor authentication is not an effective mitigation for this attack because the victim inputs the code, then their username and password, and then MFA code if applicable,” managed security platform company Huntress wrote in a March alert about the tactic.

Step 2. Attackers place that legitimate code into an illegitimate message to the target (similar to a phishing message). The code is often coupled with an urgent call like a review for a bank payment, according to Merium Khalid, director of SOC offensive security at cybersecurity company Barracuda. When the target inputs the code for a trusted platform, they hand the session to the attacker.

From the moment the request is sent, the user has 15 minutes to sign in, so hackers have to work fast and hope their target is looking at their inbox.

Step 3. From there, attackers have access to the target’s Microsoft email, SharePoint, and collaboration tools. That kind of access creates the potential for business email compromise and wire fraud from seemingly trusted sources. “They can really just impersonate that user,” Bill Legue, lead threat hunter at SaaS and AI security company AppOmni, told us.

Step 4. AI and automation are aiding these nefarious efforts. In its own report on April 8, AppOmni noted generative AI was used “to create hyper-personalized messages tailored to the victim’s role, like RFPs, invoices, or workflows.” Microsoft, in an April 16 post, shared a version of this attack that involves users clicking on a malicious link that directs them to a page running a background automation script. The script interacts with Microsoft’s identity provider and generates a live device code that is displayed on the user’s screen along with a button that redirects them to the legitimate login portal.

Very phishy. Barracuda’s March 4 post noted 7 million attacks in four weeks, largely driven by the availability of an EvilTokens phishing kit. Huntress also noticed a few isolated cases of active device-code targeting of clients in February. “All of a sudden, on March 2, the floodgates opened, and we just saw hundreds and hundreds of these,” Jamie Levy, senior director of adversary tactics at Huntress, said, estimating the attack count at 344 targeted organizations in a two-week period following that date.

The AppOmni, Barracuda, and Huntress reports did not share if incidents resulted in data exfiltration or fraud incidents.

Team players. Microsoft noted a version of this attack in February 2025, with attackers sending session-stealing device tokens via Teams invitations. At the time, the company recommended users block device code flow where possible, and configure Microsoft Entra ID’s device code flow into conditional access policies.

In Microsoft’s April 16 post, the advice remains the same. “Only allow device code flow in well-documented, secured use cases—most organizations don’t need this flow at all,” Tanmay Ganacharya, VP, Microsoft Security Research, shared in an email with IT Brew.

Ganacharya also recommended auditing existing use. For example, sign-in logs can be filtered for device code flow events using the “authentication protocol” filter. The Microsoft pro also advised readers to limit permissions for who can enroll devices into the Entra ID environment.

Levy says to watch for abnormal activity, like monitoring for sign-ons with device codes or lots of new types of logins. And to watch for suspicious activity after a device code login, including (but not limited to) manipulation of inbox rules and logins from different locations. (Huntress, in its post, also shared how to revoke tokens, if compromise is suspected.)

Access tokens matter, not just passwords. “That access token actually gives them access to their account for a long period of time. Even if the passwords change, they will still have access to the account,” Khalid told us.