Phishing with Device Codes

Microsoft discovered a threat actor using device codes to phish credentials and has provided some guidance for mitigations.

If you are not familiar with device codes chances are you have used a device code if you have used a smart TV.

Your favorite streaming service might give you a 6-digit code to enter into your laptop or cell phone, then you provide your credentials and the TV is now logged in as you. This is a device code, and while it can be used for non-streaming services it is likely not something you would have frequently in use in an enterprise environment.

References

• Microsoft blog post
• Microsoft CA mitigation

Mitigation Requirements

• Access to Conditional Access (Entra ID Plan 1)
  • Must not be using security defaults

Detection

The Microsoft blog post provides a big query to help detect threats, but I believe most organizations will actually find looking to see if device codes are even in use to be more beneficial. If no device codes have been used, block them with CA. If they have been used, investigate the use and limit device codes to specific users and apps.

You will need your Entra ID sign-in logs stored in a log analytics workspace, preferably with the Sentinel solution added. You should really be utilizing this if you have E5 licensing, Sentinel also gives you an extra 60 days of data retention included as a bonus.

We can use this simple query to find if device codes have been used for Entra ID authentication.

SigninLogs
| where AuthenticationProtocol == "deviceCode"

You will likely want to take note of ResultType to see if these were successful authentications with an integer of 0 or another code indicating a failure of some sort. Generally ResultDescription will give some info for other errors but you can find more detailed info here.

You can then summarize this by perhaps UserPrincipalName or AppDisplayName.

SigninLogs
| where AuthenticationProtocol == "deviceCode"
// | where ResultType in (0,50076)
| summarize Count = count() by UserPrincipalName

Mitigations

Microsoft's top mitigation is restricting device codes with the use of conditional access policies. The key requirements of this policy are:

• Blocking access
• To device code authentication flows
• For all users, excluding your breakglass account

Below is a rudimentary example of what your policy might look light. You may have scenarios in your environment where blocking all device codes is not viable. When that is the case consider the below policy with additional exclusions, then cover those exclusions in a second policy. That second policy should be fairly limited on when an account can use device codes such as limiting the location, cloud app, or operating system.