Back to Intelligence

AI-Enabled Device Code Phishing: Detecting Automated OAuth Abuse (April 2026 Campaign)

SA
Security Arsenal Team
April 6, 2026
6 min read

AI-Enabled Device Code Phishing: Detecting Automated OAuth Abuse

On April 6, 2026, the Microsoft Security Blog published a critical analysis of a sophisticated campaign that is redefining the social engineering landscape. We are seeing a shift from "MFA bombing" (fatigue attacks) to highly targeted, AI-driven device code phishing. This campaign leverages Large Language Models (LLMs) and end-to-end automation to generate live authentication codes on demand, effectively scaling account compromise while maintaining a low profile.

For defenders, this represents a critical blind spot. The attack abuses a legitimate OAuth 2.0 grant type—the Device Authorization Grant—designed for input-constrained devices like smart TVs and IoT terminals. Because the user voluntarily enters a code into a legitimate Microsoft login page, traditional phishing filters and secure email gateways often fail to block it. Once the code is entered, the attacker's session inherits the user's permissions, bypassing MFA and achieving persistent access.

Technical Analysis

The Vulnerability (Technique): OAuth 2.0 Device Authorization Grant Abuse

This campaign does not exploit a software vulnerability (CVE) but rather abuses a trusted protocol. The attack proceeds in four phases:

  1. Initiation: The threat actor's automated infrastructure requests a device code from the Microsoft Identity Platform (/oauth2/v2.0/devicecode). The platform returns a user code (e.g., D4Q8X) and a verification URL (microsoft.com/devicelogin).
  2. AI Social Engineering: An AI-driven bot initiates a conversation with the target (often via Teams or email). Unlike generic templates, the AI generates context-aware lures (e.g., "To verify your identity for the urgent document shared by Legal, please enter this code...").
  3. User Interaction: The victim visits the legitimate URL and enters the code. This action is authenticated via standard MFA (if enabled) and is considered a "successful" login by the user.
  4. Token Polling: The attacker's script continuously polls the token endpoint. Once the user signs in, the script exchanges the device code for an Access Token, Refresh Token, and ID Token.

Exploitation Status: Confirmed Active Exploitation.

While there is no CVE to patch, this technique is actively being used in the wild to bypass Conditional Access controls that rely on device compliance or location, provided the attacker can poll the token from a permitted location (or via a proxy).

Detection & Response

This threat requires a defense-in-depth approach focused on identity telemetry and protocol anomalies.

SIGMA Rules

The following Sigma rules target the cloud identity logs where this specific authentication method is observable.

YAML
---
title: Potential Device Code Flow Phishing Attempt
id: 1a2b3c4d-5e6f-7890-abcd-ef1234567890
status: experimental
description: Detects sign-ins utilizing the Device Code Flow authentication method, which is often abused in phishing campaigns to bypass MFA.
references:
 - https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
 - https://attack.mitre.org/techniques/T1552/ (Unsecured Credentials)
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.credential_access
 - attack.t1552.001
logsource:
 product: azure
 service: sign_in_logs
detection:
 selection:
  AuthenticationMethod|contains: 'DeviceCodeFlow'
 filter:
  AppDisplayName|contains:
   - 'Microsoft Authenticator'
   - 'Office'
  DeviceDetail|contains: 'Compliant'
 condition: selection and not filter
falsepositives:
 - Legitimate sign-ins from IoT devices or smart TVs (rare in corporate environments)
level: medium
---
title: Device Code Initiation via Script or Suspicious User-Agent
id: 2b3c4d5e-6f78-9012-bcde-f12345678901
status: experimental
description: Detects processes initiating OAuth device code requests, indicative of attacker tooling or automation scripts.
references:
 - https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
  DestinationHostname|contains: 'login.microsoftonline.com'
  DestinationPort: 443
  Initiated: 'true'
 filter_legit_browsers:
  Image|endswith:
   - '\chrome.exe'
   - '\msedge.exe'
   - '\firefox.exe'
 condition: selection and not filter_legit_browsers
falsepositives:
 - Legacy applications using device code flow legitimately
level: high

KQL (Microsoft Sentinel)

Hunt for successful sign-ins using the Device Code Flow, specifically looking for anomalies in the AppID or UserAgent that differ from standard IoT usage.

KQL — Microsoft Sentinel / Defender
SigninLogs
| where AuthenticationDetails has "DeviceCodeFlow"
| extend RiskScore = coalesce(RiskScoreDuringSignIn, 0)
| project TimeGenerated, UserPrincipalName, AppDisplayName, AuthenticationDetails,
          IPAddress, DeviceDetail, RiskScore, ConditionalAccessStatus
| where ConditionalAccessStatus != "success"
| sort by TimeGenerated desc

Velociraptor VQL

Use this artifact to hunt for suspicious processes making network connections to the Microsoft Device Code endpoint. Attackers often use PowerShell or Python scripts to automate the polling.

VQL — Velociraptor
-- Hunt for non-browser processes connecting to Microsoft Device Code endpoints
SELECT Pid, Name, Exe, CommandLine, Username, RemoteAddress, RemotePort
FROM chain(proc_entries=pslist(), net_connections=netstat())
WHERE RemoteAddress =~ 'login.microsoftonline.com'
  AND RemotePort == 443
  AND Name !~ '(chrome|firefox|msedge|opera|iexplorer)'
  AND Name =~ '(powershell|python|cmd|pwsh|cscript|wscript)'

Remediation Script (PowerShell)

This script assists in auditing recent sign-ins and provides the logic to disable the Device Code Flow capability via Conditional Access (requires Microsoft Graph PowerShell module).

PowerShell
# Audit Device Code Flow Sign-ins (Requires ExchangeOnlineManagement or Microsoft Graph module)
# Connect-MgGraph -Scopes "AuditLog.Read.All" , "Directory.Read.All"

Write-Host "Checking for recent Device Code Flow authentication attempts..." -ForegroundColor Cyan

$Date = (Get-Date).AddDays(-7)

# Retrieve Sign-in Logs for Device Code Flow
# Note: Adjust Filter based on available Graph beta/v1.0 endpoints for AuthenticationMethodDetails
$DeviceCodeSignins = Get-MgAuditLogSignIn -Filter "authenticationDetails/any(x: x/authenticationMethod eq 'DeviceCodeFlow') and createdDateTime gt $Date" -All

if ($DeviceCodeSignins) {
    Write-Host "[!] Found $($DeviceCodeSignins.Count) Device Code Flow sign-ins in the last 7 days." -ForegroundColor Red
    $DeviceCodeSignins | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName, @{N='IP Address';E={$_.IpAddress}}, AuthenticationRequirement | Export-Csv -Path ".\DeviceCodeFlow_Audit.csv" -NoTypeInformation
    Write-Host "Results exported to .\DeviceCodeFlow_Audit.csv" -ForegroundColor Yellow
} else {
    Write-Host "[+] No Device Code Flow sign-ins detected in the last 7 days." -ForegroundColor Green
}

# Remediation Guidance: Block Device Code Flow via Conditional Access
Write-Host "\nREMEDIATION STEP: To block this, create a Conditional Access Policy:" -ForegroundColor Yellow
Write-Host "1. Grant Controls: Block Access" -ForegroundColor White
Write-Host "2. Conditions: Filter for devices -> Filter devices: Device state equals 'Device Code Flow' (if available) or exclude all compliant/hybrid joined devices." -ForegroundColor White
Write-Host "3. Alternatively, restrict access to 'Browser' and 'Mobile apps and desktop clients' only." -ForegroundColor White

Remediation

  1. Conditional Access Policy (Primary Defense): Create a Conditional Access policy in Microsoft Entra ID to block the "Device Code Flow" grant type.

    • Assignments: All users.
    • Target Resources: All cloud apps.
    • Conditions: Filter for devices (Configure > Filter devices > Filter by device state > Select "Device Code Flow" if your tenant license supports the granular filter, otherwise use "Exclude" compliant devices and domain-joined devices to catch unauthenticated device flows).
    • Access Controls: Block access.

  2. Restrict Client App Types: Modify Conditional Access policies to only allow interactions from "Browser" and "Mobile apps and desktop clients." This specifically blocks the "Other" client type used by headless device scripts.

  3. User Awareness: Update security awareness training to explicitly warn against entering codes provided by chat bots or support agents, even if the URL is microsoft.com.

  4. Related Advisory: Microsoft Security Blog - Inside an AI‑enabled device code social engineering campaign

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocmicrosoft-entradevice-code-flowoauth-abuseai-phishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action