Monday, April, 2026: New research from Barracuda provides step-by-step insight into how attackers exploit device code authentication to gain persistent, approved access to services such as Microsoft 365 and Entra ID. Attacks are scaling rapidly as device code phishing is industrialised through phishingasaservice tools such as the recently reported EvilTokens kit. Barracuda detected 7 million device code phishing attacks in the last four weeks,
Device code authentication lets users sign in on one device by entering a short code on another, trusted device. It is often used for devices with limited interfaces, such as TVs, printers or command line interface (CLI) tools. Device code phishing is a technique where attackers trick users into entering a legitimate signin code on a real login page, unintentionally authorising the attacker’s device instead of their own.
The attack approach is as follows: The attackers request a real device code from Microsoft and then send victims a phishing lure that persuades them to enter the code into a legitimate login page, such as ‘microsoft.com/devicelogin.’ The victim completes the authentication, and Microsoft issues the OAuth access and refresh token, which passes straight to the attacker.
Device code phishing has several advantages over traditional credential phishing using fake login pages. For example:
- It relies on legitimate links — no suspicious URLs:Traditional phishing needs a convincing fake website, which can be easy for email filters to spot. Device code phishing uses official authentication URLs, making it difficult to identify malicious activity.
- It bypasses multifactor authentication and any conditional access policies: Because the victim authorizes the new device themselves, the attackers gain a valid access token that passes these security checks.
- Persistent, long-term access:Once the victim enters the code, the attacker receives a refresh token that allows them to maintain access to the user’s account for days or weeks, even if the user changes their password.
- It takes advantage of user trust and familiarity:People are used to entering a 6 to 8 character code to link their devices.
- Stealthier lateral movement:The attacker can quietly hijack the session without raising an alarm.
Successful device code phishing means attackers can gain longterm access to cloud email and identity environments without stealing passwords or triggering traditional security alerts.
“Device code phishing has become industrialised as part of a PhaaS model — making it a dangerous and scalable threat,” said Saravanan Mohankumar, Manager in the Threat Analysis Team at Barracuda. “Security defenses need to adapt quicky. Layered security controls, including advanced email filtering, identity protection mechanisms and continuous monitoring can significantly limit exposure. Additionally, enforcing strict controls around device authorization flows and raising awareness about entering verification codes only in trusted contexts can help prevent such attacks from succeeding.”
