MFA does not protect against device code phishing — here is what does

Over 340 Microsoft 365 organizations have been compromised since February 2026 using a technique called device code phishing. The attackers — Russian-aligned groups tracked as Storm-2372, APT29, and several others — are exploiting a legitimate OAuth feature that most tenants have left wide open.

The critical detail: MFA provides zero protection. The victim completes the MFA challenge on the attacker's behalf.

How the attack works

The attacker sends a phishing message directing the victim to Microsoft's legitimate device code login page (microsoft.com/devicelogin). The victim enters a code, signs in with their credentials, and approves the MFA prompt — business as usual.

Except the code belongs to the attacker's session. The result: a refresh token granting persistent access to the victim's account. These tokens survive password resets. Standard MFA is irrelevant.

The campaign targets construction, healthcare, legal, government, and non-profit sectors. Infrastructure is hosted on Cloudflare Workers and Railway to evade detection.

Why this matters for SMBs on M365 Business Premium

Most M365 Business Premium tenants have not blocked device code authentication in Conditional Access. It is not disabled by default. Unless you have explicitly blocked it — your accounts are exposed.

What to do right now

1. Create a Conditional Access policy that blocks device code flow
2. Review Entra ID sign-in logs for device code authentication attempts
3. Revoke refresh tokens for any suspicious accounts
4. Enable Continuous Access Evaluation (CAE) to limit token lifetimes
5. Educate users — this is not a standard phishing attack

How HaggeBurger can help

We offer an OAuth Security Check — a quick 2-3 hour engagement where we block device code flow, review your CA policies, and verify no accounts are already compromised. Contact us.

Reference: The Hacker News — Device Code Phishing Hits 340+ Microsoft 365 Orgs