Threat actors previously targeting two-factor authentication have shifted tactics to device code phishing. This attack leverages legitimate OAuth device authorization flows that services use for new-device logins. Attackers deceive victims into granting account access by mimicking standard authentication prompts, bypassing 2FA protections entirely.
Device code flows, designed for headless devices and CLI tools, present a vulnerability when users cannot easily verify the requesting application. Victims receive a code and visit a provider's authorization page, where attackers trick them into approving access for malicious applications. This method proves effective because it exploits trust in familiar login interfaces.
The shift indicates attackers recognized heightened defenses around traditional phishing and SMS interception. Device code phishing requires no SIM swaps, no password theft, and no 2FA bypass tools. Defenders should educate users to verify application names and publisher information before granting device authorization. Organizations should restrict device code flows to trusted applications and monitor for suspicious authorization grants. Implement conditional access policies requiring additional verification for new-device logins.