TL;DR
A device code phishing campaign has targeted more than 340 Microsoft 365 organizations across five countries, exploiting OAuth's legitimate device authorization flow to bypass MFA entirely [1][2]. First spotted on February 19, 2026 by Huntress, the campaign uses construction bid lures, DocuSign impersonation, and voicemail notifications to trick users into entering attacker-generated codes at Microsoft's real login page. The stolen tokens remain valid even after a password reset [1]. Small and mid-sized businesses in construction, healthcare, legal, non-profit, and financial services are squarely in the crosshairs — but straightforward policy changes can shut this attack down. Here's what you need to know and what to do about it.
What Is Device Code Phishing and How Does It Work?
Device code phishing exploits a legitimate feature of OAuth 2.0 called the device authorization grant flow [7]. This flow was designed for devices without keyboards — think smart TVs or IoT sensors — where a user authenticates on a separate device by entering a short code at a URL like microsoft.com/devicelogin. The problem is that attackers can request that code themselves and then trick someone else into entering it.
The attack chain works like this: the threat actor initiates a device code request with Microsoft's authorization server, receiving a user code and a polling token. They then send a phishing email — disguised as a construction bid invitation, a DocuSign request, or a voicemail notification
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Why Does Device Code Phishing Bypass MFA?
This technique is particularly dangerous because the victim authenticates on Microsoft's real infrastructure using their real credentials and their real second factor [3][4]. There is no fake login page to scrutinize. The MFA prompt is genuine. The user isn't entering credentials on a spoofed site — they're logging in at microsoft.com. The attacker never touches the password or the MFA token directly; they simply receive the resulting OAuth tokens on the back end. This means traditional phishing-resistant signals like checking the URL bar offer no protection here.
Critically, the OAuth tokens generated through this flow remain valid even after a password reset [1]. The tokens are independent of the password — revoking them requires explicit token revocation or session management through Microsoft Entra ID (formerly Azure AD). Organizations that rely on password resets as an incident response step will find their accounts still compromised.
Who Was Targeted in the 2026 Campaign?
Huntress identified more than 340 organizations targeted since February 19, 2026, spanning the United States, Canada, Australia, New Zealand, and Germany [1]. The affected sectors include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. The campaign's infrastructure leaned heavily on Cloudflare Workers for URL redirects and Railway PaaS for credential harvesting, with 84% of observed events originating from just three Railway.com IP addresses [1][2].
The lure themes were tailored to specific industries. Construction firms received fake bid invitations. Other targets saw DocuSign signature requests, voicemail notification emails, and abused Microsoft Forms links [1]. Previous device code phishing campaigns have been attributed to Russia-aligned threat groups including Storm-2372 and APT29 [3][4][10], and the tactics in this 2026 wave are consistent with those earlier operations [5].
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →How Can Small Businesses Protect Against Device Code Phishing?
The good news is that this attack vector is entirely manageable with the right configurations. Small and mid-sized businesses can take several concrete steps to reduce their exposure without buying new tools or overhauling their infrastructure.
Restrict or disable device code flow. Microsoft Entra ID allows administrators to create Conditional Access policies that block the device code authentication flow entirely [7]. If your organization doesn't use smart TVs, digital signage, or other input-constrained devices for Microsoft 365 access, disabling this flow eliminates the attack surface completely.
Implement Conditional Access policies for token binding. Configure policies that tie tokens to compliant or managed devices. This ensures that even if an attacker obtains tokens, those tokens cannot be used from unrecognized infrastructure [3][6].
Monitor for anomalous sign-in patterns. Watch for device code authentication events in your Microsoft Entra ID sign-in logs, especially from unexpected geographies or IP ranges. The 2026 campaign's heavy use of Railway.com infrastructure [1] is the kind of pattern that automated alerts can catch.
Educate your team on the specific lure. Traditional phishing training focuses on fake login pages. Device code phishing requires a different conversation: teach employees never to enter codes at microsoft.com/devicelogin unless they personally initiated the device login on their own hardware [6].
Establish a token revocation process. Since password resets do not invalidate OAuth tokens, your incident response playbook should include explicit steps to revoke all active sessions and refresh tokens through Microsoft Entra ID [1][7].
The average cost of a data breach reached $4.88 million in 2025 [8], and phishing remains the most common initial attack vector reported to law enforcement [9]. These defensive measures are not expensive relative to the risk they mitigate.
What Should SMBs Do Right Now?
This campaign is a reminder that identity security is the new perimeter. The organizations that weather these threats are not necessarily the ones with the biggest budgets — they're the ones that configure what they already have. Microsoft 365 includes the tools to block device code flow, enforce Conditional Access, and revoke tokens. The question is whether those controls are turned on.
If you're unsure whether your Microsoft 365 tenant is configured to defend against device code phishing, a 30-minute review of your Conditional Access policies can answer that question. Start there.
→ Need help reviewing your Microsoft 365 security posture? Let's talk.
FAQ
Device code phishing is an attack where a threat actor abuses OAuth's device authorization grant flow — a feature designed for input-limited devices — to trick users into authenticating on the attacker's behalf at a legitimate Microsoft login page [1][7]. The attacker receives valid access tokens without ever handling the victim's password or MFA code.
Yes. Because the victim authenticates directly on Microsoft's real login page and completes their own MFA challenge, the attacker receives tokens that have already passed MFA validation [3][4]. There is no fake site involved, so the MFA step is genuinely completed by the user.
No. OAuth tokens generated through device code flow are independent of the user's password. Changing the password does not revoke existing tokens [1]. You must explicitly revoke all active sessions and refresh tokens through Microsoft Entra ID to remove the attacker's access.
The most effective step is to disable the device code authentication flow in your Microsoft Entra ID Conditional Access policies if your organization doesn't need it [7]. Additionally, enforce device-based Conditional Access, monitor sign-in logs for device code events, and train staff to never enter codes at microsoft.com/devicelogin unless they initiated the request themselves [6].
The 2026 campaign targeting 340+ organizations was documented by Huntress [1] and reported by The Hacker News [2]. While specific attribution for this wave is ongoing, previous device code phishing campaigns have been linked to Russia-aligned groups including Storm-2372 and APT29 [3][4][10]. The tactics and infrastructure patterns are consistent with those earlier operations.
References
[1] Huntress, "Device Code Phishing Campaign Targeting Microsoft 365," Huntress Blog, Mar. 2026. [Online]. Available: https://www.huntress.com/blog/device-code-phishing-microsoft-365
[2] R. Lakshmanan, "Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse," The Hacker News, Mar. 25, 2026. [Online]. Available: https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
[3] Microsoft Threat Intelligence, "Storm-2372 Conducts Device Code Phishing Campaign," Microsoft Security Blog, Feb. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
[4] Volexity, "Device Code Phishing: Active Campaigns Targeting Organizations," Volexity Blog, Feb. 2025. [Online]. Available: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
[5] Proofpoint, "Device Code Phishing Threats Persist in 2026," Proofpoint Threat Insight, 2026. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-threats
[6] CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," Cybersecurity and Infrastructure Security Agency, Oct. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-10/Phishing-Guidance-Stopping-Attack-Cycle-at-Phase-One_508c.pdf
[7] Microsoft, "Microsoft Entra ID Device Code Flow," Microsoft Learn, 2024. [Online]. Available: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[9] FBI Internet Crime Complaint Center, "IC3 Annual Report 2025," FBI, 2025. [Online]. Available: https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
[10] Amazon Web Services Threat Intelligence, "Device Code Abuse by Russian Threat Groups," AWS Security Blog, 2025. [Online]. Available: https://aws.amazon.com/blogs/security/device-code-abuse-russian-threat-groups
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
Bad actors tricked people at over 340 companies into handing over access to their Microsoft 365 accounts — and even changing your password doesn't kick them out [1][2]. Here's how it works and how to stop it, explained simply.
How Did Hackers Get Into 340 Companies' Microsoft Accounts?
Imagine your Microsoft 365 account is a house. Your password is the key, and your MFA code (that text or app notification) is a second lock on the door. Normally, a thief would need to steal both to get in.
But Microsoft has a special side entrance called "device code login" [7]. It was built for devices like smart TVs that don't have keyboards. Here's how it works: the TV shows you a short code, you go to Microsoft's website on your phone, type the code in, and log in normally. The TV is now connected to your account.
Here's the trick the attackers pulled [1][2]: they asked Microsoft for one of those codes themselves. Then they sent phishing emails — fake construction bids, fake DocuSign requests, fake voicemail alerts — with a link to Microsoft's real login page. When someone clicked the link and typed in the code, they were actually logging the attacker into their account. The person completed their real password and real MFA like normal. Everything looked legitimate because it was the real Microsoft website.
Why Doesn't Changing Your Password Fix This?
Here's the part that surprises people. When you log in through device code flow, Microsoft hands out a special pass called a "token" [1][7]. That token works independently from your password. Even if you change your password afterward, the attacker's token still works — like giving someone a guest key to your house that doesn't change when you rekey the front door. To actually kick them out, you have to specifically revoke (cancel) those tokens through your Microsoft admin settings.
Who Was Targeted and Who Is Behind It?
Huntress, a security research company, spotted this campaign starting February 19, 2026 [1]. It hit more than 340 organizations across the US, Canada, Australia, New Zealand, and Germany. Construction companies, non-profits, healthcare, legal firms, and government agencies were all targeted. The attackers used Cloudflare Workers and Railway (a cloud platform) to run their operation, with 84% of activity coming from just three IP addresses [1][2]. Similar attacks have previously been linked to Russia-aligned hacking groups [3][4][10].
How Can Your Business Stay Safe?
The fix is straightforward. If your company doesn't use smart TVs or similar devices with Microsoft 365, your IT team can simply turn off device code login in your settings [7]. You can also set up rules (called Conditional Access policies) so that tokens only work from approved devices [3][6]. And make sure everyone on your team knows: never type a code into microsoft.com/devicelogin unless you started that process yourself on your own device.
This is a solvable problem. The tools to block it are already included in Microsoft 365 — they just need to be switched on.
→ Want help checking if your Microsoft 365 is set up safely? Let's chat.
FAQ
It's when an attacker generates a login code meant for devices like smart TVs and tricks you into entering it on Microsoft's real website. When you log in, the attacker gets access to your account instead of a TV [1][7].
Yes. You complete MFA yourself on Microsoft's real site, so the attacker's access token already has MFA approval baked in [3][4]. The extra lock on the door doesn't help because you opened it.
Not from this specific attack. The tokens the attacker received keep working after a password change [1]. You need to revoke active sessions and tokens in Microsoft Entra ID to remove their access.
Disable device code flow in Conditional Access if you don't need it, set up device-compliance policies, and train your team to never enter codes at microsoft.com/devicelogin unless they personally started the process [6][7].
References
[1] Huntress, "Device Code Phishing Campaign Targeting Microsoft 365," Huntress Blog, Mar. 2026. [Online]. Available: https://www.huntress.com/blog/device-code-phishing-microsoft-365
[2] R. Lakshmanan, "Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse," The Hacker News, Mar. 25, 2026. [Online]. Available: https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html
[3] Microsoft Threat Intelligence, "Storm-2372 Conducts Device Code Phishing Campaign," Microsoft Security Blog, Feb. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
[4] Volexity, "Device Code Phishing: Active Campaigns Targeting Organizations," Volexity Blog, Feb. 2025. [Online]. Available: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
[5] Proofpoint, "Device Code Phishing Threats Persist in 2026," Proofpoint Threat Insight, 2026. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-threats
[6] CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," Cybersecurity and Infrastructure Security Agency, Oct. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-10/Phishing-Guidance-Stopping-Attack-Cycle-at-Phase-One_508c.pdf
[7] Microsoft, "Microsoft Entra ID Device Code Flow," Microsoft Learn, 2024. [Online]. Available: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[9] FBI Internet Crime Complaint Center, "IC3 Annual Report 2025," FBI, 2025. [Online]. Available: https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
[10] Amazon Web Services Threat Intelligence, "Device Code Abuse by Russian Threat Groups," AWS Security Blog, 2025. [Online]. Available: https://aws.amazon.com/blogs/security/device-code-abuse-russian-threat-groups
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.