Device code phishing hits 340 M365 orgs — block the flow now
Russian threat actors exploit Microsoft device code authentication to hijack M365 accounts. Conditional Access can stop it.
Since February 2026, over 340 Microsoft 365 organizations across five countries have been hit by a coordinated phishing campaign that bypasses MFA. Behind the attack: several Russia-aligned groups including Storm-2372, APT29, UTA0304, and UTA0307.
The technique is called device code phishing. The attacker tricks the victim into entering a code on Microsoft's real login page — microsoft.com/devicelogin. The victim thinks they are authenticating for a legitimate service. In reality, they hand over OAuth tokens that persist long after the session ends.
How the attack works
The victim receives an email with a link appearing to come from Cisco, Trend Micro, or Mimecast — recognized security vendors. The link routes through Cloudflare Workers to a page requesting device code authentication. The victim enters the code on Microsoft's real page, completes MFA, and the attacker gets the tokens.
What makes this effective: everything happens on Microsoft's actual site. No fake login pages. No certificate warnings. MFA does not help because the user actively approves the authentication.
What to do
- Block device code flow in Conditional Access. Most organizations do not need it. Create a CA policy blocking
deviceCodeFlowfor all users except those who specifically require it - Enable Continuous Access Evaluation (CAE) so compromised tokens can be revoked in real time
- Review sign-in logs in Entra ID — filter by authentication method
deviceCode - Train your users — teach them to never enter codes they did not request
We can help
We offer a Conditional Access review (half-day) where we block device code flow, enable CAE, and review sign-in logs for signs of compromise. Schedule a review.
Sources: The Hacker News, Cloud Security Alliance