Device Code Flow: The Overlooked Phishing Vector (And How to Block It)

Device Code Flow abuse is not a new technique. Security teams have known for some time that this OAuth feature can be leveraged in phishing attacks to obtain tokens without stealing credentials. What is new is how accessible and scalable this attack has become.

In April 2026, the FBI warned about a Phishing-as-a-Service (PhaaS) platform called Kali365, which operationalizes this exact technique. It allows even low-skilled attackers to run campaigns that trick users into entering device codes on legitimate Microsoft login pages — ultimately granting attackers OAuth tokens and acess to Microsoft 365 environments without triggering traditional authentication defenses.

How Device Code Flow Works

Device code flow is an authentication method designed for scenarios where a device has limited input options or lacks a convenient browser interface (such as smart TVs, IoT devices, or command-line tools). Instead of entering credentials directly on the device, the application generates a verification code and displays it.

The user then switches to a secondary device (such as a laptop or smartphone), navigates to https://microsoft.com/devicelogin, and enters the provided code. After successfully authenticating, the identity provider securely links the session and grants the original device access to the requested resource.