For years, multi-factor authentication (MFA) has been treated as the ultimate security shield. Need to protect a corporate inbox or secure an Active Directory tenant? Turn on MFA. It is the advice plastered across compliance checklists and security frameworks. The reality, however, is that attackers have moved past trying to crack your password. They do not need to steal your password if they can hijack the authentication process itself.
In an upcoming BleepingComputer webinar scheduled for July 8, 2026, titled "Stop chasing alerts: Automating email security with behavioral AI," Dan Nickolaisen (Solutions Architect Manager at Abnormal AI) and Eric Danneker (Director of Cyber Vigilance and Defense at Novant Health) will unpack how attackers exploit trust-based credentials and legitimate sign-in flows. Particularly, they will look at how modern phishing campaigns, business email compromise (BEC), and account takeover (ATO) attacks bypass conventional security setups.
As a writer focusing on identity security and adaptive defense, I have watched this play out repeatedly in red team exercises. Organizations often buy into the checklist mentality, believing that if MFA is active, their access controls are ironclad. In practice, attackers are abusing authentication protocols by using the system's own rules against it. The main challenge is no longer about detecting a brute-force guess; it is about recognizing when a legitimate user is being tricked into doing the authentication work for the attacker.
Dismantling the Protocol: Anatomy of a Device Code Attack
To understand this shift, we have to look closely at a technique gaining traction among sophisticated phishing groups: Device Code phishing. This attack exploits the OAuth 2.0 Device Authorization Grant (RFC 8628)—a protocol designed for input-constrained devices. If you have ever logged into a streaming app on a smart TV or a command-line tool by entering a short alphanumeric code on a separate web browser, you have used this flow.
Microsoft Entra ID supports this endpoint by default. Attackers use this default setting to orchestrate a clean, passwordless compromise. The attack sequence is simple and highly effective:
- Generation: The attacker uses a script or tools to send a request to the Microsoft OAuth token endpoint, requesting a user code and device code.
- Delivery: The attacker sends a phishing email to the target, embedding the user code and instructing them to approve the request. Common pretexts include mandatory IT updates, password resets, or urgent document reviews.
- Legitimate Interaction: The email instructs the victim to go to Microsoft's official device authorization page (
microsoft.com/devicelogin). Because this is a genuine Microsoft domain, the user's browser does not trigger any malicious website warnings, and standard URL checkers see nothing suspicious. - Approval: The user enters the provided code on the legitimate page. The platform then asks them to sign in and complete their normal MFA prompt.
- Token Harvest: Once the user completes the MFA challenge, the attacker’s polling script receives a valid OAuth access token and refresh token.
By design, this flow bypasses the need for credential harvesting. The attacker never handles the password. The user completes the login and the MFA challenge on a legitimate, trusted Microsoft page. The subsequent session token is delivered directly to the attacker’s machine, granting them immediate, authenticated access to the victim’s corporate environment.
Why Traditional Defenses Are Blind to Flow Abuse
This attack sequence exposes a massive security blind spot. Standard security tools—like Secure Email Gateways (SEGs), credential monitoring, and multi-factor authentication itself—are built to detect unauthorized domains and suspicious login payloads. They fail when the entire interaction occurs on a legitimate site.
Standard email gateways analyze inbound mail for malicious attachments or links pointing to domain-spoofed login portals. In a device code attack, the link directs the user to Microsoft's own subdomain. Since the destination is completely benign, the mail gateway lets it pass. The victim is not entering credentials on a clone site; they are logging into the real Microsoft portal. This trust abuse is related to other mail transport exploits, such as the Active Exchange Sender spoofing vulnerability, which bypasses traditional email filters by exploiting misconfigured mail flow rules.
Alongside this, MFA is working exactly as configured. The identity provider prompts the user, the user approves the prompt on their phone, and the system registers a successful login. The authentication workflow does not know that the user is authorizing a session for a device sitting thousands of miles away. It sees a completed verification prompt and issues the tokens.
Credential monitoring tools are also useless here. Because no password is exchanged or stolen, there are no compromised credentials to find in dark web dumps or brute-force logs. The attacker does not need to guess the password. They simply wait for the user to hand over access via OAuth tokens. This leaves security operations center (SOC) analysts looking at logs that, at first glance, appear entirely normal.
The Aftermath: BEC and Identity Persistence
Once the attacker secures the OAuth tokens, they can maintain a persistent foot in the organization's cloud environment. The access token provides immediate entry, while the refresh token allows the attacker to generate new access tokens for extended periods—frequently up to 90 days under standard configurations—without needing another MFA prompt. Similar persistent techniques are often deployed by state-sponsored actors, such as the UNC5221 Brickstorm backdoor campaign, which abuses OAuth authorizations to maintain access to enterprise email systems.
This persistent access is the starting point for Business Email Compromise (BEC). Attackers often establish silent monitoring by creating silent mail rules that forward inbound messages to external mailboxes. They target accounting departments, vendor relationships, and executive communications, waiting for the right moment to intercept a transaction. By inserting themselves into active email threads, they can redirect payments, manipulate invoice details, and execute social engineering attacks with high credibility.
Beyond email, attackers use their access to move laterally within the Microsoft 365 tenant. They scrape data from SharePoint sites, download files from OneDrive, and search Teams conversations for shared credentials, passwords, and sensitive API keys. Because they are authenticated, their activities often blend in with the background noise of daily business operations.
For incident response teams, this creates a frustrating reality. When a security alert finally fires, the compromise has likely been active for weeks. SOC analysts are forced to reconstruct timelines without a clear starting point, wading through thousands of legitimate logs to find the exact moment the device code was entered.
Hardening Entra ID and Blocking the Flow
Securing against device code exploits requires moving away from the assumption that MFA alone is sufficient. It requires active policy management and configuration changes in Microsoft Entra ID. Defensive teams must focus on minimizing the attack surface by limiting where and how these flows can be used.
The most direct fix is to block or limit the Device Code Flow using Conditional Access policies. Many organizations do not actually need this protocol active for everyday workers. In Microsoft Entra ID, security administrators can create a Conditional Access policy that blocks the "Microsoft Office" or "Microsoft CLI" client apps from using the device code flow unless the request comes from a trusted, corporate IP range or a compliant device. Simply turning off device code flows for non-administrative users shuts down this vector immediately.
Additionally, auditing sign-in logs is critical for spotting active exploit attempts. Security teams should look for Sign-in logs where the Authentication Protocol is flagged as Device Code Flow. Pay close attention to sign-ins targeting the Microsoft Office CLI application (Application ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). If an administrative assistant in your organization is suddenly signing into the Office CLI from an unusual geographic location or an unrecognized IP address, it is a high-confidence indicator of compromise.
Token management policies should also be tightened. Shortening the lifetime of access and refresh tokens and enabling Continuous Access Evaluation (CAE) ensures that sessions are revoked if a user's location or network status changes. Finally, user education must highlight the specific interface of the device login page. Users need to know that if they receive a prompt to enter a code they did not generate themselves, they must deny it and report it immediately.
Behavioral AI and the Shift to Automated Hunting
Even with hardened policies, some attacks will slip through configuration gaps. This is where behavioral AI becomes critical for modern defense. During the upcoming BleepingComputer webinar, Dan Nickolaisen and Eric Danneker will address the challenge of alert fatigue in security operations. The standard SOC model relies on analyst response to static alerts, which frequently leads to eyes glazing over as thousands of minor alerts pile up daily.
Behavioral AI approaches the problem differently. Instead of relying on rigid thresholds or binary rules, it builds a baseline of normal behavior for every identity in the organization. It tracks sign-in locations, typical communication partners, client applications, and device types. When a user who has only ever logged in via a standard web browser on a corporate laptop suddenly approves a device code verification page from a CLI application, behavioral AI flags the anomaly.
Beyond detection, automation allows security teams to respond before the attacker can set up mail forwarding rules. By integrating behavioral AI with identity management, organizations can configure automated responses. For instance, if an anomalous authentication flow is detected, the system can instantly revoke all active OAuth sessions, force a password reset, and flag the account for review. This takes the burden off the SOC team and stops the attack in seconds, rather than hours.
Security teams have to accept that passive monitoring is no longer enough. The speed with which attackers exploit compromised access means that waiting for an analyst to review a ticket at 8:00 AM after a 2:00 AM compromise is a recipe for a major incident. By automating detection and remediation, organizations can stop chasing alerts and start actively neutralizing identity threats before they turn into full-scale BEC features.
Key Takeaways for IT and Security Leaders
To sum up the defense-in-depth posture required to withstand modern authentication bypasses:
- Audit Default Protocols: Do not assume your default tenant settings are secure. Verify whether Device Code Flows are active in Entra ID and disable them for all standard business users.
- Implement Conditional Access: Restrict OAuth authorizations specifically to corporate IP ranges, compliant devices, and hybrid-joined systems to limit the attacker's ability to trigger the grant.
- Watch the Logs: Establish monitoring alerts for Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46and log events pointing to the OAuth Device Authorization Grant. - Adopt Behavioral Models: Shift detection strategy from rule-based thresholds to baseline behavioral analysis that can detect anomalous application access and token creation in real-time.
- Enable Automated Response: Configure automated workflows to revoke active sessions and enforce MFA resets immediately upon detection of high-risk authentication events.
Educating users is the final brick in this wall. They must understand that the official Microsoft code-entry page is only safe when they themselves initiated the login. By coupling strong protocol configurations, alert automation, and user awareness, security teams can effectively close the door on device code abuse and reclaim control over corporate identities.