Microsoft Entra device code authentication
Description
AlphaSOC detected a Microsoft Entra sign-in using the OAuth device code flow. This flow is designed for input-constrained devices but is frequently abused in phishing attacks. In a device code phishing attack, the attacker generates a device code and tricks the victim into entering it at a legitimate Microsoft login page, granting the attacker persistent OAuth tokens without requiring knowledge of the victim's credentials or MFA codes.
Impact
A successful device code phishing attack grants the attacker long-lived OAuth refresh tokens that can be used to access Microsoft 365 services including email, SharePoint, Teams, and other connected applications. Because the tokens are issued through legitimate authentication flows, they are difficult to distinguish from normal usage. The attacker can maintain access until the tokens expire or are explicitly revoked, often weeks or months.
Severity
| Severity | Condition |
|---|---|
Informational | Device code authentication observed |
Low | Device code authentication with unexpected properties |
Medium | First-time or anomalous device code authentication |
Investigation and Remediation
Review the Entra sign-in logs to identify the application, device, and location of the device code authentication. Verify with the user whether they initiated the sign-in. If the authentication appears unauthorized, revoke the associated refresh tokens and access tokens, reset the user's credentials, and review the applications that were granted consent. Consider blocking device code flow via conditional access policy for users who do not require it, and enable sign-in risk policies.