Full Report
In early 2026, phishing attacks are still among the top contributors to the true positive detections in security operation centers (SOCs). Adversaries constantly come up with new ways of luring users into traps, concealing their actual intents and stacking anti-detection features. LevelBlue’s Global Threat Operations (GTO) team continuously tracks those behaviors and analyzes how the attacks evolve over months. One of the most recent investigations led to the identification of a previously unseen, niche attack vector that can lead to user account compromise.
Analysis Summary
# Tool/Technique: OAuth Device Code Flow Abuse
## Overview
This technique involves the exploitation of the **OAuth 2.0 Device Authorization Grant** (Device Code Flow). Originally designed for devices with limited input capabilities (e.g., Smart TVs, IoT), adversaries abuse this flow to conduct sophisticated phishing attacks. By tricking a user into entering a malicious code on a legitimate provider's authorization page (like Microsoft or Google), the attacker can bypass Multi-Factor Authentication (MFA) and gain persistent access to the victim's cloud account via an access token.
## Technical Details
- **Type:** Technique / Social Engineering Vector
- **Platform:** Support-rich Cloud environments (Microsoft Azure/Entra ID, Google Cloud, GitHub)
- **Capabilities:** MFA bypass, token theft, persistent account access without direct password theft.
- **First Seen:** Broad technical documentation emerged circa 2021-2022; identified as an increasing "niche" threat in early 2026 investigations.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- **[TA0003 - Persistence]**
- [T1136.003 - Create Account: Cloud Account] (via subsequent actions)
## Functionality
### Core Capabilities
- **Decoupled Authentication:** The attacker initiates a device login request to obtain a `user_code` and a `device_code`.
- **Lure Generation:** The attacker sends the `user_code` to the victim, directing them to a legitimate URL (e.g., `microsoft[.]com/devicelogin`).
- **Token Exchange:** Once the victim enters the code and approves the request, the attacker’s script (polling in the background) automatically exchanges the `device_code` for an OAuth access token and refresh token.
### Advanced Features
- **MFA Bypass:** Because the victim authenticates on their own trusted device and performs the MFA challenge there, the resulting token granted to the attacker is already "MFA-claims" verified.
- **Protocol Tunneling:** Use of legitimate client IDs (like the Azure PowerShell ID) to masquerade as official applications, making the "Approve Request" prompt look benign.
## Indicators of Compromise
*Note: Indicators for this technique are primarily behavioral/log-based rather than file-based.*
- **Network Indicators:**
- `login[.]microsoftonline[.]com/common/oauth2/devicecode`
- `microsoft[.]com/devicelogin`
- `github[.]com/login/device`
- **Behavioral Indicators:**
- **Unusual User-Agent:** Access tokens used from User-Agents or IP addresses inconsistent with the user's typical profile immediately after a `DeviceCode` login events.
- **Sign-in Logs:** Entra ID / Azure AD Sign-in logs showing "Authentication Method: Device Code Flow" for users who do not typically use CLI tools or IoT devices.
- **Rapid Token Use:** A successful login followed immediately by high-volume API calls to Graph API or PowerShell modules.
## Associated Threat Actors
- **General Phishing Actors:** Used by various financial and ESP (Email Service Provider) focused groups.
- **Red Team / Pentest Frameworks:** Tools like **TokenTactics** and **AADInternals** have popularized this technique among automated attack frameworks.
## Detection Methods
- **Log Analysis:** Monitor Entra ID Sign-in logs for `ResultType 0` (Success) combined with `Authentication Protocol: Device Code`.
- **Conditional Access Monitoring:** Alert on successful device code flow logins that originate from unexpected geographical locations.
- **Hunt Queries:** Use KQL (Kusto Query Language) to identify instances where the `AppId` used in a device flow matches common CLI tools (e.g., `1950a258-227b-4e31-a9cf-717495945fc2` for Microsoft Azure PowerShell).
## Mitigation Strategies
- **Disable Device Code Flow:** If not required for business operations, disable the device code flow in the Identity Provider settings.
- **Conditional Access Policies:** Implement policies that restrict Device Code Flow to specific trusted IP ranges or Managed Devices.
- **User Education:** Train users to never enter "Device Codes" received via email or chat, emphasizing that these codes are only for linking physical hardware they are currently setting up.
- **Token Lifetime Management:** Shorten the lifespan of refresh tokens to limit the window of opportunity for an attacker.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM):** Often confused with AiTM, but Device Code Flow does not require a proxy server or a "fake" login page.
- **TokenTactics:** A known tool for manipulating and refreshing OAuth tokens.
- **Illicit Consent Grant:** A similar technique where users are tricked into granting permissions to a malicious OAuth application.