title: Business Email Compromise via OAuth Device Code Flow Phishing (THREAT-BEC-OAuthDeviceCode) id: df00tech-threat-bec-oauthdevicecode status: experimental description: "OAuth Device Code Flow phishing is a prevalent Business Email Compromise (BEC) technique actively used by Scattered Spider, Storm-2372, and nation-state actors including Midnight Blizzard. The attacker sends a phishing message containing a Microsoft device code (a short alphanumeric code from https://microsoft.com/devicelogin), social-engineered to appear as an IT helpdesk request, MFA enrollment notification, or remote support session. When the victim enters the code, the attacker receives a valid OAuth access token and refresh token for the victim's Microsoft 365 account — with no password required. The attacker then has full access to email, Teams, SharePoint, OneDrive, and any M365 service the victim is licensed for. Refresh tokens may persist for 90 days, providing long-term access even after password reset. This technique bypasses MFA entirely because the device code flow is a legitimate Microsoft authentication mechanism." references: - https://attack.mitre.org/techniques/THREAT-BEC-OAuthDeviceCode/ - https://df00tech.com/detections/THREAT-BEC-OAuthDeviceCode author: df00tech date: 2026/04/22 tags: - attack.threat-bec-oauthdevicecode # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: azure detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate device code sign-in by users registering a new device (smart TV, printer, IoT device) against corporate M365 tenant" - IT helpdesk staff using device code flow to assist users in enrolling devices - Developers testing OAuth device code flow against M365 APIs in dev/test tenants - Users creating legitimate inbox rules to organise their mailbox (exclude forward/delete rules that move to specific business folders) level: high