Recently, Microsoft released details about a new phishing attack technique called Device Code Phishing. This method, used by the threat actor Storm-2372, exploits the Device Code Authentication Flow, which is commonly used by devices without keyboards such as Microsoft Teams Rooms and IoT devices. Attackers trick users into entering a malicious device code on microsoft.com/devicelogin, allowing unauthorized access to accounts while bypassing traditional phishing protections.
Table of Contents
- Understanding the Threat
- The Best Mitigation: Blocking Device Code Authentication
- Handling Exceptions for Teams Rooms and Other Devices
- Additional Security Measures
- Final Thoughts
Understanding the Threat
Unlike standard phishing attacks, this method does not rely on stealing passwords or MFA codes directly. Instead, the attacker convinces the victim to enter a malicious device code on an official Microsoft login page. Once the code is entered, the attacker gains access to the victim’s account. Since device code authentication does not always enforce MFA or phishing-resistant authentication methods like FIDO2, this attack can be particularly dangerous.
The Best Mitigation: Blocking Device Code Authentication
For most organizations, completely blocking device code authentication via Conditional Access (CA) is the best way to mitigate this attack. Here’s how to configure it:
- Create a new Conditional Access Policy in Microsoft Entra ID.
- Target all users, making sure to exclude emergency access accounts.
- Apply the policy to all cloud apps or at least high-risk ones like Exchange Online and SharePoint.
- Block authentication requests that use the Device Code Flow.
- Enable the policy
- Or for testing enable in report-only mode first, then enforce it once testing is complete.
--> But don't let it in Report-only for every 😉
- Or for testing enable in report-only mode first, then enforce it once testing is complete.
By implementing this policy, attackers lose the ability to exploit device code authentication to access your environment.
For easy deployment, you can import a ready-made JSON template for the Conditional Access policy using the following link:
Handling Exceptions for Teams Rooms and Other Devices
Blocking Device Code Flow entirely is the safest approach, but some legitimate use cases require it, such as Microsoft Teams Rooms (MTR) devices, kiosks, or other keyboard-less endpoints. To manage exceptions securely, follow these steps:
- Create a dedicated security group that allows Device Code Authentication only for MTR devices.
- Use dynamic groups to automatically include devices based on licensing, for example, only permitting devices with a Teams Rooms Pro license.
- Restrict authentication to known IP addresses, such as your corporate network, for an added layer of security. (but use this in combination with the MTR Group)
Additional Security Measures
Beyond blocking device code authentication, you can strengthen your security posture with these additional steps:
- Enforce phishing-resistant MFA, such as FIDO2 keys, Windows Hello for Business, or certificate-based authentication.
- Monitor Conditional Access Sign-In Logs to detect any unexpected device code authentication attempts.
- Educate users about social engineering techniques and remind them to be cautious when entering codes online.
- Enable Microsoft Defender for Identity to help detect unusual sign-in patterns.
Final Thoughts
Device Code Phishing is a serious security risk, but organizations can effectively mitigate it with Conditional Access policies. Ensuring that only approved devices can use this authentication method makes it much harder for attackers to succeed. A combination of policy enforcement, monitoring, and user education is the best approach to keeping your environment secure.
