Device Code Phishing via Fake File-Sharing Invitation

In this case, Truesec noted that the linked website instructed the recipient to copy a verification code and paste it into the Microsoft Device Auth page to access the document. When the user selected “Continue to Microsoft,” they were redirected to a legitimate Microsoft page where they were prompted to enter the provided code and authenticate.

By completing the verification flow, the user unknowingly authorized a session that could be used by the threat actor. This way, the attacker gained full access to the user’s Entra ID account, and could continue the attack from there.

The use of a legitimate Microsoft authentication page can make this technique more convincing to the victim, as the final authentication step occurs on a trusted domain. However, the initial lure, the unexpected file-sharing request, and the instruction to manually copy and enter a verification code are strong indicators of phishing activity.

Assessment

The use of a legitimate Microsoft authentication page can make this technique more convincing to the victim, as the final authentication step occurs on a trusted domain. However, the initial lure, the unexpected file-sharing request, and the instruction to manually copy and enter a verification code are strong indicators of phishing activity.

Threat actors are becoming increasingly creative and are using highly realistic phishing techniques to lure users into giving away their access. These attacks may use convincing emails, QR codes, attachments, or links to fake login pages that closely resemble legitimate services.

Organizations should treat all unplanned emails as suspicious, especially when a shared document prompt redirects through an unfamiliar site or asks the user to copy codes into an authentication portal. As with other phishing scenarios, investigation should include reviewing the original sender, subject, recipients, links, and whether any users interacted with the attachment or URL.

Recommendations

Since Device Code Authentication uses Microsoft backend infrastructure, there is no feasible option to prevent the links used to use Device Code Authentication.

Truesec instead recommends disabling Device Code Authentication Flow for the entire organization via Conditional Access, using exclusions to allow identities in need of Device Code Authentication Flow to continue leveraging it. Important to note non-human identities such as Microsoft Teams Room devices rely upon Device Code Authentication Flow.

The policy is configured accordingly:

When working with Conditional Access, it is important to remember to exclude any emergency access account from all policys.

Microsoft have at the time of writing started to provide such a Conditional Access policy in all eligible tenants.

Detection

If you are using Microsoft Defender XDR or Microsoft Sentinel there are indicators to hunt for using Kusto Query Language (KQL).

Microsoft Defender XDR:

EntraSignInEvents or AADSignInEventsBeta
| where EndpointCall == “Cmsi:Cmsi”
| where ErrorCode == “0”

While the above query does indicate whether Device Code Authentication has been used, it does need more details to provide a full result.

Microsoft Sentinel:

SignInLogs
| where AuthenticationProtocol == “deviceCode”

This query will present all the Sign-ins conducted using the Device Code Authentication Flow.

If you or your organization have concerns about the topic above or need support, please reach out to Truesec for further assistance.