
Loading summary
A
You're listening to the Cyberwire network, powered by N2K. Just because you're a threat actor, just because you want to do crime doesn't mean that you're good at it. And just because you're good at maybe committing fraud doesn't mean you're good at building websites and developing phishing panels.
B
Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan, and in this episode I sat down with Selena Larson, senior threat intelligence analyst at proofpoint and host of the discarded podcast. We spoke today about device code phishing, a technique that bypasses MFA entirely by abusing Microsoft's own authentication infrastructure, and what defenders can actually do to protect themselves before it hits their environment. Let's get into it. Selena, welcome to the podcast. I'm so excited to have you on Data Security Decoded. We're going to talk a lot about device code phishing. So walk me through these attacks from the victim's perspective. What actually happens and why is it so hard to spot?
A
Yeah, so it's pretty interesting. So I kind of want to take it a little bit of a step back and talk about the history of device code phishing, because I think it kind of puts it into context. So device code phishing is essentially abusing the legitimate Microsoft OAuth authentication flow. I like to describe it as if you are at a new Airbnb and you're trying to log into Netflix so you can watch your shows for the week that you're in Puerto Rico, let's say. And you, you know, you get on there and it says, enter this code, and then you put the code in and you're automatically connected to the tv and you can lounge and have fun. That's pretty much the flow. But what we're talking about is email authentication, but it's still using the device code. So it's a real legitimate way of logging in. However, threat actors have gotten pretty creative. There has been device code phishing kits in existence for quite some time. I think 2020, 2021 was when we first started seeing a little bit of some of this testing. And then we saw it with in use with red teams. But previously it used to be like someone would email you and say, send you the code themselves. So the threat actor would create the code, they would send you the code. Oh, input this code to authenticate. These codes have a 15 minute lifespan. So it wasn't really a practical method of sending, you know, credential phishing. It also just wasn't super popular. Fast Forward to the end of 2025. There are, you know, red team toolkits that are available out there and on various cybercriminal forums. And one in particular, someone leaked this thing for free and they say, hey, here's my device code phishing kit. I'm just giving it away for free. Have fun, go forth and conquer. So that was towards the end of last year. We started seeing an increase in device code phishing towards the end of 2025 and now it's just completely exploded across the threat landscape. You have a number of different phishing as a service. So device code phishing as a service. So threat actors can just pay someone to make these basically kits for them and they could just use them as like a bit of a WYSIWYG sort of situation. And yeah, so they've become a lot more popular. Part of the reason why they are so popular is I believe they can be very effective. So for your initial question, what does the user see when they're walking through this? Well, essentially, if you have ever set up your account on Netflix before or if you've ever, you know, used device code authorization for anything in the, in the past, you're familiar already with that login flow. On top of that, these are AI generated landing pages. So they look very slick. They look kind of like legitimate. They have the correct proper branding. So a user will receive an email, maybe it's something like, hey, you're getting an increase in salary or here's a document that I'm sharing with you. They'll click on this link. They will, that link generates the device code automatically. So that's the little code number that historically would just be sent directly. That has that short shelf life. They see that code, they input that code. That is where the Microsoft OAuth abuse comes in. And then the threat actor gains access to their accounts, whether it's Microsoft, which is what we see the most of. But there's of course other things like Google or other enterprise accounts takeovers type of activity that we, that can be done via device code phishing.
B
Right. And as you've mentioned, it runs directly on Microsoft's own infrastructure. So what does this mean for traditional defenses, let's say like security awareness training. Obviously there's a lot of conversation around phishing. Awareness is a phishing oriented attack. What does it say about our traditional defense mechanisms and how we, how we defend against these?
A
So I actually think it's good news for traditional defenses because the reason why threat actors are doing this is because phishing defense works. And if we think about it from, you know, like multifactor authentication attacker, the middle types of phish kids, those had to be spun into existence because username and password wasn't enough. And organizations were like, wait a second, you know, we need to do better about things. We can't just be relying on username and passwords. We're implementing MFA everywhere. And the threat actors were like, oh crap, I guess we have to do something new now. And then they invented attacker in the middle phishing. Now what we're seeing with device code is like, okay, there's this like new technique, this new, this new method for me to take over someone's account and you know, it's looking really sleek and very effective. And they're not using traditional attacker in the middle types of attacks. Credential phishing, I think in part because organizations are like, wait a second, threat actors are using a lot of attacker in the middle phishing. We have to use pass keys now or some other type of defense. So. So yeah, so it really sort of speaks to the evolution of the threat landscape overall. And I think it also speaks to the effectiveness of modern credential phishing types of security. And it's kind of good, right? Like, it shows a general overall improvement from an organizational perspective because they have to come up with new ways of knocking on those doors and getting into the organizations because their defenses are pretty effective. From a security awareness training, A security training, I do think it's really important to make sure people see what's really out there as much as possible because it is a fairly new attack chain, a fairly new attack flow. And device code phishing isn't something that we're using all the time. Like multi factor authentication, we're using constantly. But device code phishing is a little bit different. And if you're not super familiar with it, you might just think it's a legitimate, you know, this looks real, this, this is expected behavior. So if you're not familiar with it, definitely try to work it into organizational training processes. Because showing people that what's really on the threat landscape and what's coming up is going to be one of the most important things that you can do to prevent people from engaging with this types of threats.
B
Right, Absolutely. That's great advice. And so I'd love to. You talked a little bit about the threat actor landscape and I'd love to kind of drill into that even more. Who are the people actually running these, these campaigns right now? What do we know about them? Is it kind of across the board or is this kind of a specific attack? Attack group? Yeah.
A
So we've seen device code phishing from a variety of threat actors, a range of capabilities from very sophisticated espionage style threat actors, all the way down to really terrible cyber criminals that don't know what they're doing. So these device code phishing kits, which are these phishing as a service where you can become a customer of one of these services has sort of democratized device code phishing so you don't actually have to be very good to do these types of campaigns. So it really varies. But for the most part what we're seeing are cyber criminal threat actors doing this. And the main goal of these is of course account takeover. Once you've taken over an enterprise account, there are a lot of different things that you can do. You can do business email compromise, you can do follow on malware deployment, you can do something called ATO jumping, which we can talk about later. But essentially what they're doing is they're trying to make money. So most of these threat actors are going to be financially motivated. There are a few of the phishing as a service kits that are out there that are actually pretty well done. The vast, vast majority of anything device code that related that we're seeing is AI generated, it's LLM based, it's vibe coded slop. So they all have the same look about them. So they're all using, you know, very similar color schemes. They're all using this sort of same logo placement, the device code, like where the actual code is being placed, the same, you know, buttons for things. It all looks very similar in some cases. Some of these fish kits do have the ability to sort of interact a little bit more with some of the mailboxes. Right. So for example, you can, once you have compromised an email inbox, you can use these tools to sort of look for your follow on targets. Kind of do some, some investigation into the inbox itself. It's a little bit more full service. Some of them are just like here's just the device code creator you have to deal with organizing, organizing everything all by yourself. There is one, well, a couple of threat actors that we track that use them. But one in particular I think is very notable is a threat actor that I track is TA4900. What makes this actor pretty interesting is that they do business email compromise as well as credential phishing and they actually historically in the past have used their credential phishing to enable business email compromises. So they will compromise an inbox get a bunch of information, figure out their targeting, and then conduct BEC and fraud. We've seen them use Credfish that doesn't have mfa. We have seen them use Crudfish that does target mfa, including things like evil tokens. Recently we saw them using odx. We've seen or not Evil tokens. Evil Proxy. Sorry, there's so many evil things. Evil tokens is device good fishing. Evil proxy is MFA phishing and they're not related. So this actor has started almost exclusively using device code phishing in their campaigns. It's a huge pivot for them. But what's pretty funny is they're not actually that good at it. And when I talk about kind of having like a full service sort of platform in this particular actor, sometimes they like forget to include email bodies. So they'll just like send blank emails. So they'll have this like AI generated PDF attached to an email that doesn't say anything. And we actually kind of see that a lot. We see these sort of basic mistakes from some of these threat actors that are using device code phishing or other sort of AI generated types of things where they're making these sort of basic mistakes and maybe the attack doesn't work.
B
If you like what you're hearing so far and want to learn more, add our recent episode with Matt Castriada from Rubrik to your Q. In this episode we discuss the architecture of cloud ransomware attacks, how today's attackers are moving laterally by exploring overprivileged non human identities and a precise operational roadmap for defining a minimum viable business. Now let's get back to the episode with Selena. You would think that those types of mistakes would be greatly reduced by the use of LLMs. Is that something that you're, you're seeing or is it still just consistently an area that, that they keep kind of botching?
A
Yeah, you know, it's actually totally the opposite. If anything, AI and LLMs have made threat actors worse. We actually have talked about this on the N2K networks. Only malware in the building. We had a conversation about AI and honestly, I think it's so funny because I, I mean anyone who's ever heard me on a podcast knows how I feel about AI, so I won't get into it here. But I do think that there are some really funny ways that AI is changing threat actor behaviors because we have this idea in our minds that, oh my gosh, it's making people better, faster, smarter, like, oh, unhackable malware, whatever, like all these know buzzwords. But a lot of what we're seeing are like incredibly funny mistakes. So just because you're a threat actor, just because you want to do crime doesn't mean that you're good at it. And just because you're good at maybe committing fraud doesn't mean you're good at building websites and developing phishing panels. And so a lot, a lot of times what we're seeing is, you know, there are these tools one, so we'll see, you know, the malware be created and if know sep kind of separate from device code. But like let's say a threat actor is using AI to make malware. There'll be some like obvious mistakes and like, okay, this malware doesn't isn't actually going to run. Like there's some, you know, like coding errors or you know, there's these like fundamental things that it's talking to hosts that aren't there or you know, it's, it's, it's like creating weird files that are completely unnecessary. You have these sort of weird mistakes that add additional detection opportunities. From a defender's point of view, from a device code phishing point of view, what we see a lot of is just again like just copied slop. So if they're all kind of copying each other the same kits over and over again. And what this provides is again opportunities for defenders because if you're writing signatures to detect the landing pages of device code phishing or certain HTML headers or JavaScript and they're just kind of all copying each other, you're going to have really solid detection across the board regardless of what the phishkit is actually doing. And we've also seen AI generated like panels, whether it's like a phishing kit panel or a malware panel that completely expose the entire backend because they don't know how to do websites security properly. So you know, you can just like inspect element on a web page and see literally what the entire website is doing behind the login screen on the website. So there's a lot of these like very basic errors that threat actors are making now that we didn't see like as much of before everyone started using AI. So frankly it's really funny and yeah, I, yeah, it's honestly annoying. It annoys me. You know, we used to have pride in our work. What happened to the good old days of crime? You know. But yeah, it's quite funny and I think device code phishing is a perfect example of it.
B
Yeah, now we're just in the era of crime slop, I suppose it's all crime slop.
A
It's crime slop.
B
Awful, awful. All right, so we talked a little bit about the threat actors who are conducting these attacks in these campaigns. But what about the organizations being targeted? Are there any specific sectors that are being, you know, targeted as an opportunity opportunistic vector? Or is it deliberate or is it just kind of across the board too?
A
It's really just across the board. And this is actually where account takeover jumping comes in. So for any of your listeners who aren't familiar with account takeover jumping, essentially this is where threat actors will compromise an inbox. They will, you know, do their research within this inbox and say, okay, who, who does this account talk to? Who can I then spread my badness all over? It's typically from credential phishing doing account takeover jumping. But what we see sometimes with malware, like remote monitoring and management solutions, they'll also do account takeover jumping remote or, you know, they'll compromise one person and then bloop, bloop, bloop, pop to the next. So oftentimes what you'll see is it looks like it might be targeted because, oh, all of these emails are going to the same industry or they're going to the same company, or they're going to the same group or type of organizations. But oftentimes what that is is it's just opportunistic whatever the contact list is in the compromise email. So let's say you're a health care organization, you mostly talk to other health care organizations. A threat actor gets into your email and then it's going to be able to hop to these other health care organizations. It's not necessarily because they're specifically looking to target health care, it's just because that's who they got lucky with for the initial compromise. Same thing goes with like GEO targeting as well. So maybe, you know, if you're a US based company and you mostly talk to US based suppliers, that's going to look like it's mostly targeting the U.S. but in reality it's just whatever they, the, the opportunistic capabilities of the, the adversary. So I would say that this is a very, very common threat to really any organization. Very similar to what we see from business email compromise and credential phishing. It's just we see it in, in, you know, higher volumes and we see it like broadly regardless of organization. So it's not like they're not necessarily doing very specific targeting. A threat actor is going to make money however they can. And, and that's kind of what we're seeing here.
B
Right, right, absolutely. And at the core of this, this is an identity based attack. Right. And something that we hear a lot is that identity based attacks, the, one of the hardest things to mitigate with them is the, the threat actor is very persistent. They tend to stay in your network no matter what you do to try to evict them. So is that a trend that you see with this type of campaign or is there any different variants based off of like what we're seeing across the board with identity based attacks?
A
Yeah. So it really depends on the actor's objective. For the threat actor that I mentioned previously, like TA4903 or some of the other sort of like fraud or lower tier phishing threat actors that we're talking about, they don't really care about maintaining persistence. They want to defraud you. They want to get someone to send money to the wrong bank account and then, you know, they'll carry on. Sometimes they'll maintain persistence if it comes to something like maintaining access to a compromised email to facilitate that fraud. But it's not necessarily like they are persisting in the same way that we might see with a ransomware threat actor who might kind of be in there for a while trying to steal as much data as possible, hold it for extortion purposes, or even espionage threat actors that want to maintain persistence for long term objectives. What we're seeing from these threat actors is they do tend to kind of make themselves known. Right. If they're sending additional follow on emails to facilitate additional compromises though, that's kind of their primary objective. Of course there are the potential for them to, once they gain access to an organization and they've done whatever they wanted with the Inbox, they could then sell access onto another threat actor. That's actually outside of our visibility. And so I don't have great statistics on how much like device code leads to ransomware. But based off of our visibility and mostly kind of what we see from, from the threat actors that we're looking at, it's largely based off of either follow on additional credential phishing or, or like BEC and fraud.
B
Right, right, interesting. So you already mentioned one example of an actionable step defenders can take right now to kind of mitigate these threats. It was earlier just like updating some of your security awareness training to make sure that folks are aware of these device phishing, device code phishing attacks. What are two other actionable steps that defenders can take to start mitigating these attacks now.
A
Yeah, of course. So the most basic one that you can do is just blocking device code phishing. Phishing, yeah. Block all device code phishing. Duh. No, block device code authentication flows where possible. So this is actually through a conditional access policy within your organizational networks and you can set that so that you don't allow device code at all. So if your organization is targeted, somebody does happen to click on the link, they won't have the opportunity to authenticate via device code. So that's a good way of doing it. If that's not possible, kind of figure out within the organization where it might be possible to really have the sort of least amount of device code capabilities that you can across the board. There are sort of allow list approach that are based on accepted use cases. So like only device code authentication allowed for approved users or operating systems or IP ranges is another great one. And then I think, you know, the second thing that they can do is require compliant or joined devices. So if your organization is using like device registration, something like intune, you can set again those conditional access policies requiring sign ins to originate from these compliant or registered devices. So yes, these are allowed, it's totally fine, we approve them. Carry on. So this really can sort of restrict the unauthorized access from the device code flow. And I think that that is really kind of speaks actually to an overall trend that we're seeing across the board when it comes to things like new techniques that are emerging. Restrict the ability for the threat actor to do the thing in the first place, like device code phishing, block device code, like the, the ability to actually use device codes. Click fix, which is another sort of emerging and very prominent social engineering attack. Restrict the ability for, for just everyday users to just run PowerShell whenever they want to. You know, so these things that are being hijacked and abused, think of how threat actors are using them and how you can restrict them to the least amount of people that need to actually use them within your organization. And that really helps the attack surface.
B
Right, right. And you spoke kind of highly of what this, the context of these types of campaigns mean for security awareness training. But I want to ask you for kind of some hot takes. So what are given that basically these security awareness training protocols that we've been following for years and years have resulted in threat actors coming up with these new techniques? What does this really say about security awareness training to date? And what are two inconvenient truths that we kind of need to come to terms with when it comes to those trainings Inconvenient truths.
A
Hmm, that's a good question. So, first of all, I'm not an expert in security training. I just want to make that clear. That is a specialized field that I am not a part of. So just from my own sort of perspective, I guess, working in the industry, I think that one, I think oftentimes security awareness trainings aren't necessarily based off of what's really in the threat landscape. I think that that can be a challenge if you're doing the same stuff kind of over and over again. If you're doing things like using, I don't know, gift card fraud or, you know, something like Taylor Swift tickets or something that you're not really seeing in the landscape all that often as, you know, the sort of main takeaways from the security awareness training programs, I think that that can kind of run into some issues. And then also too, you know, I think this idea of you can always train people to not click on things like there's always a lure for every single possible person. And you just have to kind of assume that even if you're training as much as you possibly can and you're achieving really high scoring, there is always a possibility that somebody will fall for something because, and you know, we're all human beings that have a psychological motivation to click on things. And if you're given, if you're served the right lore, then you can engage with it. And so I think that that's really important to just know that if you have defense in depth, even if you're, you know, training or training people properly and they're doing great work and you're achieving success, there's always that opportunity from a threat actor to come up with something very creative and kind of get around that first line of defense. So if you have defense in depth, if you're, if you're basing it off of intelligence and threats that are currently on the landscape, really tracking those emerg technologies and preventing, you know, exploitation as much as you can proactively, that can be very, very beneficial. So, yeah, that, that's. I guess those are my. I don't even know if they're hot takes, but those are my takes.
B
Well, they're very good ones, especially given your caveat there. So I appreciate it. All right. And to kind of close things out, what is the single most important message that you want to leave with every defender who's listening in today?
A
I guess that kind of would be one of my main takeaways is, you know, as like, whenever we see threats emerging on the landscape used by a handful of cybercriminal actors, it's going to explode. We've seen it with Click Fix, we've seen it with, certainly with device code phishing, we've seen it with a lot of different techniques that are used, you know, compressed executables leading to this or, you know, abusing cloudflare infrastructure or abusing, you know, AI tools. Like, what we see is once they're adopted by a handful of threat actors and they realize that they work, that's when it's going to be like the path to disaster. So if you can stay on top of things, take a very like sort of proactive, intelligent intelligence approach, following the threat landscape and making sure that you are implementing defenses before they become very, very popular by using sort of emerging threat data as, as a, as a sort of guiding star, then you can be very, very effective. Just like this, right? Like we published on device code phishing when it still wasn't all that popular, you know, back in November or something, and now it's exploded and is literally everywhere. So, yeah, I think staying on top of the threats can be very, very beneficial.
B
Wonderful. I absolutely could not agree more. Selena, thank you so much for your time today and until next time.
A
Thanks, Caleb.
B
That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about and is one of the best ways to help support support the show. If you want to reach out to me about the show, email me directly at data-security-decoded2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Ibin. Content strategy by Mayan Plout. Sound design by Elliot Peltzman. Audio mixing by Elliot Peltzman and Trey Hester. Video production support by Griffith Kirkey Wild and Sorrel Joppi. Until next time, stay resilient.
Episode: Defending the Authentication Flow: Device Code Phishing with Selena Larson
Host: Caleb Tolan (Rubrik)
Guest: Selena Larson, Senior Threat Intelligence Analyst at Proofpoint
Date: June 30, 2026
In this episode, Caleb Tolan is joined by Selena Larson to dissect the rapidly growing threat of device code phishing—a tactic that bypasses MFA (multi-factor authentication) by exploiting Microsoft’s OAuth authentication flow. The conversation explores the mechanics of these attacks, who’s behind them, the impact of AI and phishing-as-a-service, and most importantly, actionable defensive strategies. Listeners gain both a practical understanding and pointed advice, delivered in Selena’s insightful and candid style.
What It Is and How It Works
Victim’s Experience
“If you have ever set up your account on Netflix before … you’re familiar already with that login flow… These are AI generated landing pages. So they look very slick. They look kind of like legitimate. They have the correct proper branding.” — Selena ([01:08])
“I actually think it's good news for traditional defenses because the reason why threat actors are doing this is because phishing defense works.” — Selena ([04:41])
Training Recommendation
“Sometimes they like forget to include email bodies. So they’ll just like send blank emails… We see these sort of basic mistakes from some of these threat actors that are using device code phishing … where they're making these basic mistakes and maybe the attack doesn't work.” — Selena ([09:55])
“If anything, AI and LLMs have made threat actors worse… Just because you want to do crime doesn’t mean that you’re good at it.” — Selena ([11:19])
“Now we're just in the era of crime slop, I suppose it's all crime slop.” — Caleb ([14:19])
“Oftentimes what you'll see is it looks like it might be targeted … But oftentimes… it’s just opportunistic whatever the contact list is in the compromised email.” — Selena ([14:42])
“Block device code authentication flows where possible … if your organization is targeted, somebody does happen to click on the link, they won't have the opportunity to authenticate via device code.” — Selena ([18:55])
“Even if you're, you know, training or training people properly and they're doing great work… there’s always that opportunity from a threat actor to come up with something very creative and kind of get around that first line of defense.” — Selena ([21:29])
“Whenever we see threats emerging on the landscape used by a handful of cybercriminal actors, it's going to explode… What we see is once they're adopted by a handful of threat actors and they realize that they work, that's when it's going to be like the path to disaster. So if you can stay on top of things… implementing defenses before they become very, very popular by using emerging threat data as a guiding star, then you can be very, very effective.” — Selena ([23:33])
Summary prepared for cybersecurity and IT professionals seeking actionable insights.