Attackers Deploy Device‑Code Phishing to Bypass 2FA Across SaaS Platforms
What Happened – Threat actors have begun leveraging “device code” authentication flows to trick users into authorizing malicious logins, effectively sidestepping traditional two‑factor authentication (2FA). By sending phishing emails that mimic legitimate new‑device registration prompts, they obtain valid access tokens without needing the second factor.
Why It Matters for TPRM –
- Device‑code phishing can compromise any third‑party SaaS service that supports OAuth/OIDC device flows, expanding the attack surface beyond password‑only attacks.
- Successful exploits give attackers persistent access to vendor environments, jeopardizing data confidentiality and integrity for downstream customers.
- Traditional 2FA controls may give a false sense of security if the underlying authentication flow is socially engineered.
Who Is Affected – SaaS providers, cloud‑based IAM platforms, and their enterprise customers (technology, finance, healthcare, etc.) that rely on device‑code login mechanisms.
Recommended Actions –
- Review all third‑party contracts for the presence of device‑code or similar OAuth flows and demand documented mitigations.
- Enforce user education on phishing, specifically highlighting “new device” registration emails.
- Deploy anti‑phishing gateways and MFA solutions that flag or block device‑code authentication attempts from untrusted devices.
- Conduct regular token‑audit logs to detect anomalous device registrations.
Technical Notes – Attack vector: phishing using legitimate device‑code OAuth/OIDC flows (e.g., Azure AD, Microsoft Entra, Google). No specific CVE cited. Data at risk includes authentication tokens, session cookies, and any downstream data accessed with those tokens. Source: Dark Reading