There's no fake login page in a device-code attack. No spoofed domain, no credential form, nothing for a link scanner to flag. The victim gets a message asking them to enter a short code to activate a device, goes to the genuine Microsoft or Okta page, signs in, and passes MFA for real. The code they entered hands their tokens to another machine.
Every control in that chain worked exactly as designed.
Why the Flow Was Built to Be Trusted
The device authorization grant exists for good reasons. It's how you sign a TV or a CLI into an account without a keyboard. But authentication and the thing being authorized happen on two different devices, and the flow can't tell whether they're the same person. An attacker exploits that gap: start the flow, relay the code through a convincing lure, and let the real user supply the login and MFA. No credential is stolen because none is exchanged.
Persistence Is the Real Prize
A stolen password gets you one login. A device-code token gets you a foothold. From there an attacker can register a device and pick up a primary refresh token, the long-lived Entra credential that reissues access and outlives the password reset that follows the incident. Detection built around bad sign-ins struggles here, because nothing about the sign-in is bad.
What gives it away is the pattern around it: a device-code grant to an identity that has never used one, a device registration from nowhere, a token exercised from hosting infrastructure the user has never touched. That's a behavioral question, not a signature.
The most effective phishing today produces a clean login and a real token. Catching it means watching what happens after the sign-in looks perfectly normal.
See the latest from Abnormal's product and engineering teams.
