HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Device‑Code Phishing Bypasses MFA, Granting Persistent Access to Corporate Accounts

Attackers are using a device‑code phishing technique that tricks users into authorizing access on legitimate Microsoft login pages, bypassing MFA without stealing passwords. This highlights gaps in SOC 2 access‑control evidence and the need for behavioral monitoring and security‑awareness training.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Attackers Use “Device Code” Phishing to Bypass MFA and Retain Persistent Access

What Happened — Attackers are leveraging a “device code” phishing technique that tricks users into authorizing access on legitimate Microsoft authentication pages. Because the victim completes a real login and MFA challenge, the attacker receives a valid access token and can maintain long‑term access without ever stealing passwords.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 access‑control criteria (CC6.1 Logical Access) require documented controls that prevent unauthorized credential use, even when MFA is technically satisfied.
  • Continuous‑compliance programs must capture evidence that MFA is complemented by behavioral monitoring and user‑training controls.
  • Verisq’s Security Awareness Training capability can embed device‑code phishing awareness into your SOC 2 readiness evidence.

Who Is Affected – Primarily technology‑focused enterprises (SaaS, cloud platforms, and managed service providers) that rely on Microsoft Azure AD or Office 365 for identity management.

Recommended Actions

  • Map the device‑code phishing scenario to SOC 2 CC6.1 and CC6.2 (Security Incident Management) controls.
  • Deploy behavioral analytics that flag anomalous token issuance and atypical device‑code flows.
  • Update security‑awareness curricula to cover this specific phishing vector and test users with simulated device‑code attacks.
  • Document MFA policy exceptions and the supplemental controls you add as audit evidence.

Source: BleepingComputer Webinar Announcement

Technical Notes – The technique exploits Microsoft’s OAuth 2.0 device‑code flow, a legitimate authorization grant that does not require a password at the time of token issuance. No new CVE is cited; the risk stems from user interaction with a trusted login UI.

📰 Original Source
https://www.bleepingcomputer.com/news/security/webinar-how-attackers-bypass-mfa-and-how-defenders-can-respond/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →