The Dangerous Rise of Device Code Phishing in Financial Services

Contributors: Veena Sagar, Niranjan Jayanand, Jithin Raghav

Executive Summary

CyberProof Managed Detection and Response (MDR) analysts and threat hunters continue to observe a significant surge in attacks targeting the Banking, Financial Services, and Insurance (BFSI) sector. Threat actors are increasingly leveraging highly specialized Phishing-as-a-Service (PhaaS) toolkits to execute advanced Device Code Phishing operations. This trend follows a broader evolution in cybercrime; in March 2026, CyberProof researchers highlighted the Tycoon PhaaS platform, which stole session cookies to bypass standard two-factor authentication (2FA) protections. More recently, on May 21, 2026, the FBI issued an advisory regarding an emerging PhaaS framework named Kali365, which was first detected in April 2026.

Recent threat investigations reveal that attackers are heavily abusing Cloudflare Workers infrastructure hosted on workers[.]dev subdomains. In several documented instances, attackers successfully deployed a Cloudflare CAPTCHA challenge before presenting the victim with malicious phishing pages. This tactic serves as a sophisticated anti-analysis mechanism: because automated email scanners, security gateways, and sandbox environments frequently fail to complete interactive CAPTCHA verifications, security tools are blocked from auditing the destination payload, allowing the phishing content to successfully reach end-users.

Understanding Device Code Phishing and PhaaS Mechanics

Device code phishing is a highly deceptive social engineering technique that abuses Microsoft’s legitimate device authentication workflow—originally engineered to simplify logins on constrained-input devices like smart TVs or command-line interfaces (CLIs)—to gain unauthorized access to target enterprise environments.

The tactical flow of the attack typically proceeds as follows:

1. The Initial Lure: The threat actor delivers a highly professional phishing email engineered to masquerade as an urgent notification from a trusted cloud infrastructure or document-sharing service. Rather than embedding a standard fraudulent login link to harvest passwords, the email explicitly instructs the target to visit an official, legitimate Microsoft verification page and input a specific alphanumeric device code provided in the text.
2. User Authorization: Because the verification URL redirects to an authentic, valid Microsoft web domain, corporate security awareness training indicators often fail to alert the victim. Upon entering the supplied code, the victim inadvertently authorizes the attacker’s remote machine to gain access to their corporate Microsoft 365 account.
3. Token Capture: The moment the user completes authorization on the authentic page, the underlying PhaaS infrastructure intercepts the newly generated OAuth access and refresh tokens. These tokens permit immediate authentication to Microsoft 365 resources without the threat actor ever requiring the user’s password.
4. Persistent Access: Equipped with valid, authenticated tokens, the attacker establishes immediate entry to core business tools including Outlook, Microsoft Teams, and OneDrive. Because the token is already fully validated, it bypasses subsequent interactive multi-factor authentication (MFA) challenges. Attackers retain continuous access until the active session tokens expire or are formally revoked by an administrator.

Recent Investigations from the CyberProof Security Operations Center

To demonstrate the impact of this technique, CyberProof’s threat response teams have highlighted threat real-world security investigations executed on behalf of our enterprise clients.

CASE STUDY 1: LATERAL MOVEMENT & PERSISTENCE HIJACKING

The incident initiated when a VIP corporate user was targeted with an incredibly precise phishing lure that bypassed automated perimeter scanning. The executive interacted with the content, fulfilling the device code prompt and unknowingly supplying the authorization requirements the adversary needed to compromise the session.

Within minutes of token interception, the compromised mailbox was weaponized by the adversary to execute an aggressive internal campaign, distributing hundreds of targeted phishing emails to internal staff, key supply-chain vendors, and strategic external partners. This rapid horizontal spread scaled a single-user incident into an existential organizational threat.

As CyberProof MDR analysts investigated, they uncovered signs of a secondary account compromise. To conceal their malicious presence, the threat actors modified active inbox rules to automatically mark all incoming security alerts and administrative messages as read, instantly routing them to deleted item folders. Furthermore, analysts confirmed that the attackers successfully registered an unauthorized device directly into the organization’s tenant infrastructure. This was a calculated move to establish longterm persistence, ensuring continued access to data even if the primary compromised web sessions were subsequently terminated.

The CyberProof SOC team moved swiftly to execute containment protocols, disrupting the adversary’s
network access, purging the malicious inbox rules, removing the rogue tenant device, and fully validating
the security posture of the customer environment.

CASE STUDY 2: EXPLOITING SHAREPOINT AND ONENOTE FOR MULTI-STAGE REDIRECTION

In another complex investigation, threat actors engineered a multi-stage device code phishing attack by exploiting legitimate organizational SharePoint spaces. The attacker compromised an internal SharePoint repository and hosted a document that automatically redirected users to an embedded OneNote page.

The malicious OneNote canvas presented a professional interface designed to resemble a standard legal framework, featuring an urgent link titled “REVIEW FINAL DOCUMENT >>> HERE”.

Figure 1:  OneNote file with malicious redirector URL

Once clicked, this link initiated the malicious redirection sequence, routing the user through a workers[.]dev subdomain hosted on Cloudflare Workers infrastructure. Before exposing the actual landing page, the infrastructure presented a Cloudflare CAPTCHA verification to filter out automated security sandboxes.

Figure 2: Workers[.]dev used in captcha

Once the user passed the verification, they were brought to a deceptive page outlining step-by-step instructions to copy an authentication code and paste it into Microsoft’s authentic deviceauth page, facilitating seamless token extraction.

Figure 3: Device code phishing seen in this attack

CASE STUDY 3: PROACTIVE DETECTION AND EARLY-STAGE ALERTING

Proactive monitoring proved highly effective in a third investigation, where CyberProof analysts intercepted an unfolding device code attack at its earliest phase. The detection triggered immediately after an employee interacted with a fraudulent email and was redirected to a malicious spoofed portal engineered to mimic a secure DocuSign document validation portal.

Though the user had already finalized the alphanumeric input and the threat actor had successfully captured initial session tokens, the CyberProof SOC team generated an emergency critical escalation alert to the customer within 15 minutes of initial detection. This allowed immediate execution of automated and human-led containment actions. Analysts instantly revoked all active enterprise sessions for the targeted user, blocked the malicious domain links across corporate network parameters, and enforced a mandatory password reset. This rapid response neutralized the threat actor before they could deploy persistence mechanisms or move laterally within the organization.

Figure 4: The phishing page presented step-by-step instructions that guided the victim through the device code submission process.

Evaluating Technical Impact and Distinct Risks

Device code phishing introduces a distinct set of operational risks that separate it from standard credential harvesting campaigns. Under default configurations, an intercepted session remains fully valid, granting attackers an unchecked window—frequently lasting up to 15 minutes or longer—to immediately scale access permissions, update authentication profiles, register rogue devices within the tenant, and manipulate mailbox routing definitions.

Crucially, device code flows were designed natively to service non-interactive authentication pathways, such as command-line interface (CLI) tools, developer operations, and input-constrained hardware. They were never intended to manage standard interactive user logins for common productivity applications like Outlook, Microsoft Teams, or broad Microsoft Entra ID (formerly Azure AD) resource management. When threat actors successfully manipulate a regular corporate user into employing a CLI-optimized authentication workflow, they effectively circumvent standard application-layer security perimeters.

Recommendations & Mitigation Strategies

In alignment with standard FBI threat advisories and enterprise infrastructure protection frameworks, CyberProof strongly recommends implementing the following rigorous mitigation controls to restrict or completely eliminate device code exploitation vectors:

• Enforce Conditional Access Policies: Design and enforce a strict Conditional Access Policy within Microsoft Entra ID to comprehensively block device code flow authentication across all global user directories, allowing explicit exemptions only for strictly validated business workflows.
• Execute Infrastructure Audits: Prior to deploying restrictive Conditional Access boundaries, execute comprehensive log analysis across enterprise environments to isolate, identify, and map any legitimate development or administrative operations dependent on device code flows.
• Block Authentication Transfer Policies: Implement configuration definitions to actively prevent users from transferring authenticated sessions across disparate computing environments— specifically blocking session migration from standard desktop environments to unmanaged mobile devices.
• Preserve Break-Glass Accounts: If broad restriction protocols are enacted, ensure emergency break-glass administrative accounts are carefully excluded from the restriction policies to prevent organizational lockout scenarios during broader service outages.

Conclusion

The rapid escalation of device code phishing underscores a critical truth in modern enterprise security: traditional perimeter defenses and basic multi-factor authentication are no longer sufficient when adversaries exploit legitimate authentication protocols. By weaponizing trusted Microsoft workflows and using Cloudflare infrastructure to evade automated sandbox detection, threat actors can seamlessly hijack access and establish deep corporate persistence within minutes. To safeguard sensitive data and preserve organizational integrity, security leaders must transition from a reactive stance to proactive, policy-driven defense.

Organizations should immediately audit their Entra ID environments, enforce strict Conditional Access policies to restrict device code pathways, and partner with a vigilant Managed Detection and Response provider. Do not wait for a compromised session to signal a breach—review your authentication policies today and secure your identity infrastructure against advanced PhaaS threats.