New Phishing Attack Bypasses MFA via Device Code — Block It Now

Over 340 organizations across five countries have had their M365 accounts compromised through a phishing campaign that most MFA solutions do not stop. Huntress revealed on March 23 that the attack exploits the OAuth device code flow — and it is accelerating.

The attack works like this: the victim receives a link asking them to go to Microsoft's legitimate sign-in page and enter a code. It looks completely normal. But the code gives the attacker a persistent access token to the victim's M365 account. The token survives password resets.

The campaign has been attributed to a new PhaaS (Phishing-as-a-Service) platform called EvilTokens, sold via Telegram. The infrastructure runs on Railway.com, a PaaS platform that makes it trivial to spin up and tear down attack servers.

Why it works

The device code flow is a legitimate OAuth feature designed for devices without browsers (smart TVs, IoT). The problem is that most organizations do not block it in Conditional Access. The user authenticates on Microsoft's real page — all MFA steps complete normally — but the token ends up with the attacker.

What to do now

1. Block device code flow in Conditional Access. Create a policy that denies authentication flow = device code for all users who do not explicitly need it.
2. Enable Continuous Access Evaluation (CAE) across all tenants. CAE enables near-real-time token revocation.
3. Review sign-in logs for authentication_protocol=deviceCode from unknown devices.
4. Consider token protection with token binding in Conditional Access.

This is not a theoretical attack. It is happening right now and the number of victims is growing every day. Law firms, construction companies, healthcare providers, and government agencies are among those affected.

At HaggeBurger, we offer a Conditional Access review that includes device code blocking, CAE enablement, and token protection. Get in touch and we will check your environment.