We Need to Talk About Device Code Phishing
ID: f0d7ef3b-fae8-5f65-9eab-7305178853a6
STIX ID: report--f0d7ef3b-fae8-5f65-9eab-7305178853a6
Feed Name: Huntress Blog
This report documents the growing use of device code phishing—an abuse of OAuth device authorization flows—highlighting campaigns by suspected Russian actor Storm-2372 and widespread abuse via PhaaS kits (EvilTokens, Kali365) that harvested OAuth tokens to bypass MFA and compromise hundreds of organizations; it describes the attack mechanics, observed campaign details, and mitigation recommendations including Conditional Access, monitoring new device registrations, and disabling device code flow where operationally feasible.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
