New Deceptive Threat: Device Code Phishing

Device Code Phishing:

• Device Code Definition: When you're attempting to log into a service on one device, the system sends a short code (typically six alphanumeric characters) to a second device that you've previously registered and authenticated, such as your phone or another portable device. You enter this code into the login prompt on the first device, and once you do, you're authenticated and logged in. This process is quite common when accessing various services.

• Device Code Phishing: A phishing attack where hackers use device codes to authenticate their own devices as legitimate user devices.  

   

  Mechanism: Hackers obtain a legitimate device code meant for the user and trick the user into entering this code on a legitimate login page, thereby authenticating the hacker's device.
• Example: Microsoft Teams phishing emails where users are asked to enter a device code, unknowingly authenticating the hacker's device.

Attack Method:

• Process: Hackers start logging into a service using the user's credentials, receive a device code, and then send a phishing message to the user with the device code and a legitimate login link.
• Outcome: The hacker's device is authenticated, allowing them access to the user's account without further authentication.

Overall Problem:

• Weakness of OTP Codes: OTP codes are easily stolen and socially engineered, making them poor authenticators.
• Devious Nature: Device code phishing is harder to detect because the login page and URL are legitimate.

Defenses:

• Education: Teach users to recognize unexpected device code requests.
• Conditional Access: Disable device code flow in Microsoft Entra.
• IP Address Blocking/Geo-Fencing: Restrict device code use based on IP addresses or physical location.

Please contact us for a free Cybersecurity assessment.

Sources: Microsoft, Cisco, ars technica