The device code authentication flow was designed for input-constrained devices like smart TVs and kiosks — but attackers have quietly turned it into one of the most effective ways to steal valid Microsoft 365 tokens without ever touching a password. Unlike credential phishing, device code attacks bypass MFA entirely, leave minimal log noise, and work against any tenant running default Entra ID settings.
In this session, we'll break down exactly how device code phishing works: from the initial lure email to the moment an attacker walks away with a persistent, legitimate access token scoped to your tenant. You'll see a live walkthrough of the attack chain, understand why conditional access policies alone won't save you, and learn what the attack looks like in Entra ID sign-in logs — because knowing what to hunt for is half the battle.
We'll close with a practical hardening checklist covering authentication flow restrictions, Conditional Access controls, continuous access evaluation, and how Microsoft's new token protection features fit into your defense strategy. Whether you're an admin, a security architect, or a defender building detections, you'll leave with specific, actionable controls you can implement the same week.