Ddos 
Security researcher Dennis Kniep has introduced a novel phishing technique known as DeviceCodePhishing, which takes traditional device code phishing to a much more dangerous level.
“DeviceCodePhishing dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page,” Kniep explains.
DeviceCodePhishing leverages the OAuth Device Authorization Grant (Device Code Flow) used by platforms like Microsoft Azure Entra. However, it introduces a clever twist:
- As soon as the victim clicks the phishing link, a headless browser starts a Device Code Flow session.
- The headless browser automatically enters the device code behind the scenes.
- The victim is instantly redirected to the legitimate authentication page, without needing to manually enter a code.
This automation defeats the 10-minute token validity limitation and removes the need for human interaction, which dramatically increases the attack’s success rate.
Kniep emphasizes that this method is more insidious than Attacker-in-the-Middle (AitM) phishing: “the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL.”
Furthermore, if the victim already has an active session, they might not even be prompted for reauthentication, leaving virtually no time for them to realize they are under attack.
The most alarming aspect is that DeviceCodePhishing bypasses all forms of multi-factor authentication (MFA), including FIDO2 security keys, considered the gold standard of phishing-resistant authentication.
As Kniep stresses: “No authentication method, not even FIDO, is able to protect against this type of attack.”
Kniep has published a proof-of-concept (PoC) for this technique on GitHub. The current tool focuses on targeting Microsoft Azure Entra users, but the underlying method is broadly applicable across any service supporting the Device Code Flow.
Unfortunately, traditional user education and phishing detection techniques fall short against this type of attack. The most effective mitigation, according to Kniep, is to disable Device Code Flow entirely where possible. For Microsoft Azure Entra environments, implement a Conditional Access Policy to block the Device Code authentication flow.
Related Posts:
- FIDO Alliance Unveils New Draft Specifications for Secure Credential Exchange
- USDA Pioneers Phishing-Resistant MFA with Fast IDentity Online (FIDO)
- Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- Google will launch its own FIDO U2F key – Titan Security Key
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
Donate