Data Security Decoded 6.30.26
Ep 57 | 6.30.26

Defending the Authentication Flow: Device Code Phishing with Selena Larson

Transcript

Selena Larson: Just because you're a threat actor, just because you want to do crime, doesn't mean that you're good at it. And just because you're good at maybe committing fraud doesn't mean you're good at building websites and developing phishing panels. [ Music ]

Caleb Tolin: Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin, and in this episode, I sat down with Selena Larson, Senior Threat Intelligence Analyst at Proofpoint and host of the Discarded podcast. We spoke today about device code phishing, a technique that bypasses MFA entirely by abusing Microsoft's own authentication infrastructure, and what defenders can actually do to protect themselves before it hits their environment. Let's get into it. Selena, welcome to the podcast. I'm so excited to have you on Data Security Decoded. We're going to talk a lot about device code phishing. So walk me through these attacks from the victim's perspective. What actually happens, and why is it so hard to spot?

Selena Larson: Yeah, so it's pretty interesting. So I kind of want to take you a little bit of a step back and talk about the history of device code phishing, because I think it kind of puts it into context. So device code phishing is essentially abusing the legitimate Microsoft OAuth authentication flow. I like to describe it as if you are at a new Airbnb and you're trying to log into Netflix so you can watch your shows for the week that you're in Puerto Rico, let's say. And you, you know, you get on there, and it says, "Enter this code," and then you put the code in, and you're automatically connected to the TV, and you can lounge and have fun. That's pretty much the flow. But what we're talking about is email authentication, but it's still using the device code. So it's a real legitimate way of logging in. However, threat actors have gotten pretty creative. There has been device code phishing kits in existence for quite some time. I think 2020, 2021 was when we first started seeing a little bit of some of this testing. And then we saw it in use with red teams. But previously, it used to be like someone would email you and send you the code themselves. So the threat actor would create the code. They would send you the code: "Oh, input this code to authenticate." These codes have a 15-minute lifespan. So it wasn't really a practical method of sending, you know, credential phishing. It also just wasn't super popular. Fast forward to the end of 2025. There are, you know, red team toolkits that are available out there, and on various cybercriminal forums, and one in particular, someone leaked this thing for free, and they say, "Hey, here's my device code phishing kit. I'm just giving it away for free. Have fun. Go forth and conquer." So that was towards the end of last year. We started seeing an increase in device code phishing towards the end of 2025. And now, it's just completely exploded across the threat landscape. You have a number of different phishing-as-a-service -- a device code phishing-as-a-service. So threat actors can just pay someone to make these, basically, kits for them, and they can just use them as, like, a bit of a WYSIWYG sort of situation. And, yeah, so they've become a lot more popular. Part of the reason why they are so popular is, I believe, they can be very effective. So, for your initial question, what does the user see when they're walking through this? Well, essentially, if you have ever set up your account on Netflix before, or if you've ever, you know, used device code authorization for anything in the past, you're familiar already with that login flow. On top of that, these are AI-generated landing pages, so they look very slick. They look kind of legit -- like, legitimate. They have the proper branding. So user will receive an email. Maybe it's something like, "Hey, you're getting an increase in salary," or, "Here's a document that I'm sharing with you." They'll click on this link. That link generates the device code automatically. So, that's the little code number that historically would just be sent directly, that has that short shelf life. They see that code. They input that code. That is where the Microsoft OAuth abuse comes in, and then the threat actor gains access to their accounts, whether it's Microsoft, which is what we see the most of, but there is, of course, other things like Google or other enterprise accounts takeovers type of activity that we -- that can be done via device code phishing.

Caleb Tolin: Right. And as you've mentioned, it runs directly on Microsoft's own infrastructure. So what does this mean for traditional defenses, let's say, like security awareness training? Obviously, there's a lot of conversation around phishing awareness. This is a phishing-oriented attack. What does it say about our traditional defense mechanisms and how we defend against these?

Selena Larson: So I actually think it's good news for traditional defenses, because the reason why threat actors are doing this is because phishing defense works. And if we think about it from, you know, like multi-factor authentication, attacker-in-the-middle types of phish kits, those had to be spun into existence because username and password wasn't enough. And organizations were like, "Wait a second, you know, we need to do better about things. We can't just be relying on username and passwords. We're implementing MFA everywhere." And the threat actors were like, "Oh, crap. I guess we have to do something new now." And then they invented attacker-in-the-middle phishing. Now, what we're seeing with device code is like, "Okay. There's this, like, new technique -- this new method for me to take over someone's account and, you know, it's looking really slick and very effective." And they're not using traditional attacker-in-the-middle types of credential phishing. I think in part because organizations are like, "Wait a second, threat actors are using a lot of attacker-in-the-middle phishing. We have to use passkeys now or some other type of defense." So yeah, so it really sort of speaks to the evolution of the threat landscape overall. And I think it also speaks to the effectiveness of modern credential phishing types of security. And it's kind of good, right? Like, it shows a general overall improvement from an organizational perspective, because they have to come up with new ways of, you know, knocking on those doors and getting into the organizations because their defenses are pretty effective. From a security awareness training and security training, I do think it's really important to make sure people see what's really out there as much as possible. Because it is a fairly new attack chain, a fairly new attack flow, and device code phishing isn't something that, you know, we're using all the time like multi-factor authentication, you know, we're using constantly. But device code phishing is a little bit different. And if you're not super familiar with it, you might just think it's a legitimate -- you know, this looks real, this is expected behavior. So if you're not familiar with it, definitely try to work it into organizational training processes, because showing people what's really on the threat landscape and what's coming up is going to be one of the most important things that you can do to prevent people from engaging with these types of threats.

Caleb Tolin: Right. Absolutely. That's great advice. And so, I'd love to -- you talked a little bit about the threat actor landscape, and I'd love to kind of drill into that even more. Who are the people actually running these campaigns right now? What do we know about them? Is it kind of across the board, or is this kind of a specific attack group?

Selena Larson: Yeah, so we've seen device code phishing from a variety of threat actors, a range of capabilities from very sophisticated espionage-style threat actors all the way down to really terrible cybercriminals that don't know what they're doing. So these device code phishing kits, which are the -- these, you know, phishing-as-a-service where you can become a customer of one of these services, have sort of democratized device code phishing. So you don't actually have to be very good to do these types of campaigns. So it really varies. But for the most part, what we're seeing are cybercriminal threat actors doing this. And the main goal of these is, of course, account takeover. Once you've taken over an enterprise account, there are a lot of different things that you can do. You can do business email compromise. You can do follow-on malware deployment. You can do something called ATO jumping, which we can talk about, you know, later. But essentially, what they're doing is they're trying to make money. So most of these threat actors are going to be financially motivated. There are a few of the phishing-as-a-service kits that are out there that are actually pretty well done. The vast, vast majority of anything device code-related that we're seeing is AI-generated. It's LLM-based. It's vibe-coded slop. So they all have the same look about them. So they're all using, you know, very similar color schemes. They're all using this sort of same logo placement, the device code, like where the actual code is being placed, the same, you know, buttons for things. It all looks very similar. In some cases, some of these phish kits do have the ability to sort of interact a little bit more with some of the mailboxes, right? So, for example, you can -- once you've compromised an email inbox, you can use these tools to sort of look for your follow-on targets, kind of do some investigation into the inbox itself. It's a little bit more full-service. Some of them are just like, "Here's just the device code creator. You have to deal with organizing everything all by yourself." There is one -- well, a couple of threat actors that we track that use them, but one in particular, I think, is very notable is a threat actor that I track is TA4903. What makes this actor pretty interesting is that they do business email compromise as well as credential phishing. And they actually, historically, in the past, have used their credential phishing to enable business email compromises. So they will compromise an inbox, get a bunch of information, figure out their targeting, and then conduct BEC and fraud. We've seen them use cred phish that doesn't have MFA. We've seen them use cred phish that does target MFA, including things like EvilTokens. Recently, we saw them using ODx. We've seen -- or not EvilTokens. EvilProxy. Sorry. There's so many evil things. EvilTokens is device code phishing, EvilProxy is MFA phishing, and they're not related. So this actor has started almost exclusively using device code phishing in their campaigns. It's a huge pivot for them. But what's pretty funny is they're not actually that good at it. And when I talk about kind of having, like, a full-service sort of platform, in this particular actor, sometimes they, like, forget to include email bodies. So they'll just, like, send blank emails. So they'll have this, like, AI-generated PDF attached to an email that doesn't say anything. And we actually kind of see that a lot. We see these sort of basic mistakes from some of these threat actors that are using device code phishing or other sort of AI-generated types of things, where they're making these sort of basic mistakes, and maybe the attack doesn't work. [ Music ]

Caleb Tolin: You would think that those types of mistakes would be greatly reduced by the use of LLMs. Is that something that you're seeing, or is it still just consistently an area that they keep kind of botching?

Selena Larson: Yeah, you know, it's actually totally the opposite. If anything, AI and LLMs have made threat actors worse. We actually have talked about this on the N2K networks, Only Malware in the Building. We had a conversation about AI, and honestly, I think it's so funny because, I mean, anyone who's ever heard me on a podcast knows how I feel about AI, so I won't get into it here. But I do think that there are some really funny ways that AI is changing threat actor behaviors, because we have this idea in our minds that, "Oh, my gosh." It's making people better, faster, smarter. Like, oh, unhackable malware, whatever. Like, all these, you know, buzzwords. But a lot of what we're seeing are, like, incredibly funny mistakes. So just because you're a threat actor, just because you want to do crime, doesn't mean that you're good at it. And just because you're good at maybe committing fraud doesn't mean you're good at building websites and developing phishing panels. And so, a lot of times what we're seeing is, you know, there are these tools. One, so we'll see, you know, the malware be created, and if, you know, so kind of separate from device code, but, like, let's say a threat actor is using AI to make malware, there'll be some, like, obvious mistakes, and, like, okay, this malware isn't actually going to run. Like, there's some, you know, like, coding errors, or, you know, there's these, like, fundamental things that it's talking to hosts that aren't there, or, you know, it's, like, creating weird files that are completely unnecessary. You have these sort of weird mistakes that add additional detection opportunities from a defender's point of view. From a device code phishing point of view, what we see a lot of is just, again, like, just copied slop. So if -- you know, they're all kind of copying each other. These same kits over and over again. And what this provides is, again, opportunities for defenders, because if you're -- if you're writing signatures to detect the landing pages of device code phishing or certain HTML headers or JavaScript, and they're just kind of all copying each other, you're going to have really solid detection across the board regardless of what the phish kit is actually doing. We've also seen AI-generated, like, panels, whether it's like a phishing kit panel or a malware panel, that completely expose the entire back end because they don't know how to do website securely properly -- security properly. So, you know, you can just, like, inspect element on a web page and see literally what the entire website is doing behind the login screen on the website. So there's a lot of these, like, very basic errors that threat actors are making now that we didn't see, like, as much of before everyone started using AI. So, frankly, it's really funny. And, yeah, I -- yeah, it's honestly annoying. It annoys me. You know, we used to have pride in our work. What happened to the good old days of crime, you know? But yeah, it's quite funny. And I think device code phishing is a perfect example of it.

Caleb Tolin: Yeah. Now, we're just in the era of crime slop, I suppose.

Selena Larson: Yeah, it's all crime slop. It's crime slop.

Caleb Tolin: Yeah. Awful. Awful. All right. So we talked a little bit about the threat actors who are conducting these attacks and these campaigns, but what about the organizations being targeted? Are there any specific sectors that are being, you know, targeted as an opportunistic vector, or is it deliberate, or is it just kind of across the board, too?

Selena Larson: It's really just across the board. And this is actually where account takeover jumping comes in. So, for any of our listeners who aren't familiar with account takeover jumping, essentially, this is where threat actors will compromise an inbox. They will, you know, do their research within this inbox and say, okay, who does this account talk to? Who can I then spread my badness all over? It's typically from credential phishing, doing account takeover jumping, but what we see sometimes with malware, like remote monitoring and management solutions, they'll also do account takeover jumping, where, you know, they'll compromise one person and then, boop, boop, boop, hop to the next. So oftentimes what you'll see is it looks like it might be targeted because, oh, all of these emails are going to the same industry, or they're going to the same company, or they're going to the same group or type of organizations. But oftentimes what that is is just opportunistic, whatever the contact list is in the compromised email. So let's say you're a healthcare organization. You mostly talk to other healthcare organizations. A threat actor gets into your email, and then it's going to be able to hop to these other healthcare organizations. It's not necessarily because they're specifically looking to target healthcare. It's just because that's who they got lucky with for the initial compromise. Same thing goes with, like, geo-targeting as well. So maybe, you know, if you're a US-based company and you mostly talk to US-based suppliers, that's going to look like it's mostly targeting the US, but in reality, it's just whatever the opportunistic capabilities of the adversary. So I would say that this is a very, very common threat to really any organization. Very similar to what we see from business email compromise and credential phishing. It's just we see it in, you know, higher volumes, and we see it, like, broadly regardless of organization. So it's not -- like, they're not necessarily doing very specific targeting. A threat actor is going to make money however they can, and that's kind of what we're seeing here.

Caleb Tolin: Right. Right. Absolutely. And at the core of this is an identity-based attack, right? And something that we hear a lot is that identity-based attacks, one of the hardest things to mitigate with them is that the threat actor is very persistent. They tend to stay in your network no matter what you do to try to evict them. So, is that a trend that you see with this type of campaign, or is there any different variance based off of, like, what we're seeing across the board with identity-based attacks?

Selena Larson: Yeah, so, it really depends on the actor's objective. For the threat actor that I mentioned previously, like TA4903, or some of the other sort of like fraud or lower-tier phishing threat actors that we're talking about, they don't really care about maintaining persistence. They want to defraud you. They want to get someone to send money to the wrong bank account, and then, you know, they'll carry on. Sometimes they'll maintain persistence if it comes to something like maintaining access to a compromised email to facilitate that fraud, but it's not necessarily like they are persisting in the same way that we might see with a ransomware threat actor who might, you know, kind of be in there for a while trying to steal as much data as possible, hold it for, you know, extortion purposes, or even espionage threat actors that want to maintain persistence for long-term objectives. What we're seeing from these threat actors is they do tend to kind of make themselves known, right, if they're sending additional follow-on emails to facilitate additional compromises. Though that's kind of their primary objective. Of course, there are -- the potential for them to -- once they gain access to an organization, and they've done whatever they wanted with the inbox, they could then sell access on to another threat actor. That's actually outside of our visibility, and so I don't have great statistics on how much, like, device code leads to ransomware, but based off of our visibility and mostly kind of what we see from the threat actors that we're looking at, it's largely based off of either follow-on additional credential phishing or, like, BEC and fraud

Caleb Tolin: Right. Right. Interesting. So you already mentioned one example of an actionable step defenders can take right now to kind of mitigate these threats. It was earlier just like updating some of your security awareness training to make sure that folks are aware of these device code phishing attacks. What are two other actionable steps that defenders can take to start mitigating these attacks now?

Selena Larson: Yeah, of course. So the most basic one that you can do is just blocking device code phishing. Yeah, block all device code phishing. Duh. No. Block device code authentication flows where possible. So this is actually through a conditional access policy within your organizational networks, and you can set that so that you don't allow device code at all. So if your organization is targeted, somebody does happen to click on the link, they won't have the opportunity to authenticate via device code. So that's a good way of doing it. If that's not possible, kind of figure out within the organization where it might be possible to really have the sort of least amount of device code capabilities that you can across the board. There are sort of allow list approach that are based on accepted use cases. So, like, only device code authentication allowed for approved users or operating systems or IP ranges is another great one. And then I think, you know, the second thing that they can do is require compliant or joined devices. So if your organization is using, like, device registration, something like Intune, you can set, again, those conditional access policies requiring sign-ins to originate from these compliant or registered devices. So, yes, these are allowed. It's totally fine. We approve them. Carry on. So this really can sort of restrict the unauthorized access from the device code flow. And I think that that is -- really kind of speaks actually to an overall trend that we're seeing across the board when it comes to things like new techniques that are emerging. Restrict the ability for the threat actor to do the thing in the first place. Like, device code phishing, block device code, like the ability to actually use device codes. ClickFix, which is another sort of emerging and very prominent social engineering attack, restrict the ability for just everyday users to just run PowerShell whenever they want to, you know. So these things that are being hijacked and abused, think of how threat actors are using them and how you can restrict them to the least amount of people that need to actually use them within your organization, and that really helps the attack surface.

Caleb Tolin: Right. Right. And you spoke kind of highly of what this -- the context of these types of campaigns mean for security awareness training, but I want to ask you for kind of some hot takes. So, what are -- given that basically these security awareness training protocols that we've been following for years and years have resulted in threat actors coming up with these new techniques, what does this really say about security awareness training today, and what are two inconvenient truths that we kind of need to come to terms with when it comes to those trainings?

Selena Larson: Inconvenient truths. That's a good question. So, first of all, I'm not an expert in security training. I just want to make that clear. That is a specialized field that I am not a part of. So, just from my own sort of perspective, I guess, working in the industry, I think that -- one, I think, oftentimes security awareness trainings aren't necessarily based off of what's really in the threat landscape. I think that that can be a challenge if you're doing the same stuff kind of over and over again, if you're doing things like using -- I don't know -- gift card fraud, or, you know, something like Taylor Swift tickets, or something that you're not really seeing in the landscape all that often, as, you know, the sort of main takeaways from the security awareness, training programs. I think that that can kind of run into some issues. And then also, too, you know, I think this idea of you can always train people to not click on things, like, there's always a lure for every single possible person. And you just have to kind of assume that even if you're training as much as you possibly can, and you're achieving really high scoring, there is always a possibility that somebody will fall for something because in -- you know, we're all human beings that have a psychological motivation to click on things. And if you're given -- if you're served the right lure, then you can engage with it. And so, I think that that's really important to just know that if you have defense in depth, even if you're, you know, training -- or training people properly, and they're doing great work, and you're achieving success, there's always that opportunity for a threat actor to come up with something very creative and kind of get around that first line of defense. So, if you have defense in depth, if you're basing it off of intelligence and threats that are currently on the landscape, really tracking those emerging technologies and preventing, you know, exploitation as much as you can proactively, that can be very, very beneficial. So, yeah, I guess those are my -- I don't even know if they're hot takes, but those are my takes.

Caleb Tolin: Well, they're very good ones, especially given your caveat there. So I appreciate it. All right. And to kind of close things out, what is the single most important message that you want to leave with every defender who's listening in today?

Selena Larson: I guess that kind of would be one of my main takeaways is, you know, as, like, whenever we see threats emerging on the landscape used by a handful of cybercriminal actors, it's going to explode. We've seen it with ClickFix. We've seen it with -- certainly with device code phishing. We've seen it with a lot of different techniques that are used, you know, compressor executables leading to this, or, you know, abusing Cloudflare infrastructure, or abusing, you know, AI tools. Like, what we see is once they're adopted by a handful of threat actors and they realize that they work, that's when it's going to be a, like, the path to disaster. So if you can stay on top of things, take a very, like, sort of proactive, intelligent approach, following the threat landscape, and making sure that you are implementing defenses before they become very, very popular by using sort of emerging threat data as a sort of guiding star, then you can be very, very effective. Just like this, right? Like, we published on device code phishing when it still wasn't all that popular, you know, back in November or something, and now it's exploded, and it's literally everywhere. So yeah, I think staying on top of the threats can be very, very beneficial.

Caleb Tolin: Wonderful. I absolutely couldn't agree more. Selena, thank you so much for your time today, and until next time.

Selena Larson: Thanks, Caleb.

Caleb Tolin: That's a wrap on today's episode of Data Security Decoded. If you liked what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about and is one of the best ways to help support the show. If you want to reach out to me about the show, email me directly at data-security-decoded@n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Eiben. Content strategy by Ma'ayan Plaut. Sound design by Elliott Peltzman. Audio mixing by Elliott Peltzman and Trey Hester. Video production support by Brigitte Criqui Wild and Sarelle Joppy. Until next time, stay resilient. [ Music ]