{"id":14626,"date":"2025-07-09T16:15:04","date_gmt":"2025-07-09T04:15:04","guid":{"rendered":"https:\/\/kinetics.co.nz\/?p=14626"},"modified":"2025-07-09T16:15:04","modified_gmt":"2025-07-09T04:15:04","slug":"device-phishing","status":"publish","type":"post","link":"https:\/\/new.kinetics.co.nz\/?p=14626","title":{"rendered":"Device Code Phishing: A Dangerous New Scam You Need to Know About"},"content":{"rendered":"\n[et_pb_section fb_built=”1″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_row _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

Device code phishing<\/strong> is a sneaky new way hackers are stealing people’s online accounts.<\/h3>\n

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to.<\/p>\n

Unlike regular phishing emails that take you to fake websites, this scam tricks you into using real login pages with codes that actually belong to the hackers.<\/p>\n

Here’s the scary part: The device code techniques are particularly dangerous because the phishing emails don’t carry malicious links or attachments and aren’t easily identified by cybersecurity products<\/strong>. Even people who are usually careful about clicking suspicious links can fall for this because everything looks completely legitimate.<\/p>\n

The attacks have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. Most recently, Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with moderate confidence aligns with Russia’s interests and tradecraft.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

What Exactly Are Device Codes?<\/h2>\n

To understand this scam, you first need to know what device codes are. A device code is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that does not have the ability to perform an interactive authentication using a web flow.<\/p>\n

Think about when you want to watch Netflix on your smart TV. The TV doesn’t have a full keyboard, so typing in your email and password would be really annoying. Instead, Netflix shows you a short code on your TV screen and tells you to go to a website on your phone or computer to enter that code. Once you enter the code and log in on your phone, your TV gets connected to your Netflix account. It’s actually pretty convenient!<\/p>\n

To better understand what a “device code” is, take into consideration when purchasing a new smart television. That television may come with apps installed such as Netflix or AppleTV.\u00a0 Well, in order to use those applications, you need to sign in to your account.\u00a0 Now, it’s clearly not practical to be mashing TV remote buttons all day trying to type out our 24-character password, so we use codes as a better way.<\/p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

How the Scam Works<\/h2>\n

Here’s where the hackers get clever. To prepare for this attack, the threat actor starts to log into a legitimate service you already belong to (e.g., Microsoft, Netflix, third-party app, etc.) using your account’s user ID and gets a legitimate device code (meant for you) sent to them instead.<\/p>\n

The attack usually happens in these steps:<\/p>\n

    \n
  1. The Setup<\/strong>: Hackers generate a real device code using your account information<\/li>\n
  2. The Contact<\/strong>: The attackers contact the end-user via third-party messaging platforms such as WhatsApp\/ Signal or even Microsoft Teams. Mostly they share context related to fake meeting invitations\/ calendar invitations with a code (device code)<\/li>\n
  3. The Trick<\/strong>: They send you a message that looks like it’s from Microsoft Teams, your IT department, or another trusted source, asking you to enter a code on a legitimate Microsoft login page<\/li>\n
  4. The Trap<\/strong>: When you enter the code and log in, this tricks the login service into believing that the other device under the control of the hacker is yours<\/li>\n<\/ol>\n

    The generated Device Codes are only valid for 15 minutes once they are created. As a result, they have to have real-time communication with the victim.\u00a0 They need the victim to expect the “invitation”.\u00a0<\/p>[\/et_pb_text][\/et_pb_column][et_pb_column type="1_2" _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_image src="https:\/\/new.kinetics.co.nz\/wp-content\/uploads\/2025\/07\/DevicePhishingSM.png" title_text="DevicePhishingSM" _builder_version="4.27.4" _module_preset="default" hover_enabled="0" global_colors_info="{}" theme_builder_area="post_content" border_radii="on|20px|20px|20px|20px" box_shadow_style="preset1" sticky_enabled="0"][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure="1_2,1_2" _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_column type="1_2" _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_text _builder_version="4.27.4" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"]

    Real Examples of These Attacks<\/h2>\n

    Example 1: Fake Microsoft Teams Meeting<\/h3>\n

    A phishing attack that masquerades as Microsoft Teams<\/a> meeting invitation, delivered through email. When the victims click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. You might get an email that looks like your boss is inviting you to an urgent meeting, but when you click to join, you’re asked to enter a code to “verify your identity.”<\/p>\n

    Example 2: Fake Military Official Contact<\/h3>\n

    Volexity are cyber-specialists.\u00a0 In their investigation of an incident<\/a>, they reviewed emails to the user leading up the time of the authentication event. This review identified a suspicious email just moments before the login activity from an email address purporting to be from someone with the name of a high-ranking official from the Ukrainian Ministry of Defence. In this case, hackers pretended to be important government officials to trick their targets.<\/p>\n

    Example 3: Signal Messenger Scam<\/h3>\n

    Through its investigations, Volexity<\/a> discovered that Russian threat actors were impersonating a variety of individuals in order to socially engineer targets. In one case, This individual then requested the victim move off Signal to another secure chat application called Element. The attacker then had the victim join an Element server they controlled under the domain sen-comms[.]com.<\/p>[\/et_pb_text][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]

    Why This Scam Is So Dangerous<\/h2>\n

    There are several reasons why device code phishing is particularly scary:<\/p>\n

    It Uses Real Websites<\/strong>: A user who is up on their Security Awareness Training might know to be rightfully suspicious of links, but may let their guard down when they see https:\/\/microsoft.com\/devicelogin<\/a> as the URL. You’re not being sent to a fake website – you’re using the real Microsoft login page!<\/p>\n

    It Bypasses Security Training<\/strong>: Most security training teaches people to look for suspicious links or fake websites. But in this scam, everything looks completely legitimate because it IS legitimate – except for the code you’re entering.<\/p>\n

    Long-Term Access<\/strong>: The additional benefit of refresh tokens is that they allow attackers persistent access to victim accounts even after the initial authentication. Once hackers get in, they can stay in your account for a long time.<\/p>\n

    Hard to Detect<\/strong>: There’s no true exploitation occurring during this attack outside of tricking someone into using the device code flow when they shouldn’t. Since everything is using legitimate systems, security software has a hard time catching it.<\/p>[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.27.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.4″ _module_preset=”default” custom_padding=”20px|10px|20px|10px|false|false” border_radii=”on|4px|4px|4px|4px” border_width_all=”2px” border_color_all=”#7CDA24″ global_colors_info=”{}” theme_builder_area=”post_content”]

    How to Protect Yourself<\/h2>\n

    For Regular Users<\/h3>\n

    Be Suspicious of Unexpected Codes<\/strong>: It is uncommon for users to approve a device code sent to them without having attempted to log in to a service on a new device first, where a device code would typically be requested. If someone sends you a code to enter but you didn’t try to sign in to anything, that’s a red flag.<\/p>\n

    Verify Before You Act<\/strong>: If you get a message asking you to enter a device code, especially if it claims to be urgent, pause and verify. Call your IT department or the person who supposedly sent the message using a different method to confirm it’s real.<\/p>\n

    Know the Warning Signs<\/strong>:<\/p>\n