Device Code Phishing: The OAuth Attack That Bypasses MFA
· 22 min read
MFA was enforced. The tenant had a third-party MFA provider through Conditional Access. Every sign-in log entry showed a successful authentication. No password spray. No credential theft. And yet the attacker had a valid refresh token and access to the mailbox.
The entry point was a device code phishing link. Once I understood the mechanism, everything made sense.