Device Code Phishing: New 2FA Bypass Targeting Indian SMBs

Device Code Phishing: New 2FA Bypass Targeting Indian SMBs

When I was architecting security for Fortune 500 companies, we obsessed over two-factor authentication (2FA) as the ultimate defense. "If you have 2FA," we'd say, "you're protected." But that assumption is crumbling.

Device code phishing is the new 2FA bypass attackers use to compromise Indian businesses — and most SMBs have never heard of it. Under the DPDP Act 2023, a compromised cloud account that exposes customer data is a regulatory violation requiring CERT-In notification within 6 hours, not just a technical incident.

Originally reported by Dark Reading, a sophisticated threat actor group known as Tycoon has abandoned traditional 2FA interception attacks and pivoted to something far more insidious: device code phishing. Instead of trying to steal your one-time passwords, they're now tricking users into handing over legitimate device authorization codes — codes that your own company's systems trust implicitly.

This shift matters. A lot. Especially for Indian SMBs who are increasingly relying on cloud platforms like Microsoft 365, Google Workspace, and AWS, all of which use device code flows for legitimate multi-device login scenarios.

Bachao.AI by Dhisattva AI Pvt Ltd was built to detect exactly these authentication vulnerabilities. This post explains how the attack works and what you need to do now.

For related context on endpoint threats hitting Indian SMBs, see our post on Payouts King ransomware bypassing endpoint security.

What Happened

Tycoon operators are conducting targeted phishing campaigns that exploit a fundamental trust mechanism built into modern authentication systems. Here's what they're doing:

The Attack Flow:

1. Attacker sends a convincing phishing email impersonating your company's IT team or a trusted SaaS provider
2. The email directs users to a fake login page that looks pixel-perfect identical to the real one
3. When the user enters their credentials on the fake page, the attacker captures them
4. Instead of immediately logging in, the attacker triggers a device code authentication flow on the legitimate service
5. The device code appears (typically an 8-10 character alphanumeric string)
6. The attacker's phishing page displays this code to the user, saying: "Enter this code in your authenticator app to complete login"
7. The user, thinking this is a normal 2FA prompt, enters the code into their authenticator
8. The attacker's system receives authorization, and the account is compromised

In my years reviewing Indian SMB security postures, I've noticed that most businesses implement 2FA thinking they've "solved" authentication security. But they haven't accounted for the human element — and that's exactly where device code phishing exploits the gap.

Why Device Code Phishing Matters for Indian Businesses

India's cybersecurity landscape is evolving rapidly, but so are the threats. Here's why device code phishing is particularly dangerous for Indian SMBs:

Regulatory Pressure

Cloud Adoption Without Security Maturity

Multi-Tenant Vulnerability

How Device Code Authentication Actually Works

Device code flows are designed to solve a real problem: how do you log into a device that doesn't have a keyboard (like a smart TV or IoT device)?

Legitimate flow:

1. Device requests authentication: a new device requests a login code from the authentication server
2. Server issues device code: the auth server generates a unique 8-10 character code
3. User enters code elsewhere: the user goes to a browser on another device and enters the code
4. User confirms: the user sees what is trying to authenticate and confirms it
5. Device receives token: once confirmed, the original device gets an access token

The Phishing Variant

Here's the actual attack mechanism:

# Attacker's device code phishing script
import requests

def initiate_device_code_attack(client_id, tenant_id):
    url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/devicecode"
    payload = {
        "client_id": client_id,
        "scope": "https://graph.microsoft.com/.default"
    }
    response = requests.post(url, data=payload)
    device_code_response = response.json()
    # Returns device_code and user_code
    # Attacker displays user_code on phishing page
    return device_code_response.get('device_code'), device_code_response.get('user_code')

def poll_for_token(client_id, device_code, tenant_id):
    url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
    payload = {
        "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
        "device_code": device_code,
        "client_id": client_id
    }
    response = requests.post(url, data=payload)
    token_response = response.json()
    if 'access_token' in token_response:
        return token_response['access_token']  # Full cloud access
    return None

This is not theoretical. This is how the attack actually works.

Why Traditional 2FA Monitoring Fails

When you look at your 2FA logs, a device code authorization looks completely legitimate:

[2026-04-17 14:32:15] User: rajesh@company.com | Event: Device Code Issued | Status: Success
[2026-04-17 14:32:47] User: rajesh@company.com | Event: Device Code Authorized | Status: Success
[2026-04-17 14:33:02] User: rajesh@company.com | Event: Login Successful | IP: 203.45.x.x (Pakistan) | Status: Success

There's no failed attempt. No brute force. No anomaly. The user "authorized" the device themselves (unknowingly). From the authentication server's perspective, everything is normal.

The Attack Flow Diagram

graph TD
    A[Attacker initiates device code request on real Microsoft endpoint] -->|Gets device code| B[Displays code on phishing page]
    B -->|Victim enters credentials on fake page| C[Victim sees device code]
    C -->|Victim enters code in authenticator| D[Victim authorizes unknown device]
    D -->|Attacker receives authorization| E[Account compromised]
    E -->|Attacker gains full cloud access| F[Data exfiltration begins]
    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

How to Defend Against Device Code Phishing

Immediate Fix: Disable Device Code Flows

For Microsoft 365/Azure AD:

# Disable device code flow via Conditional Access
New-AzureADMSConditionalAccessPolicy `
  -DisplayName "Block Device Code Flow" `
  -State "Enabled" `
  -Conditions @{
    "Applications" = @{"IncludeApplications" = "All"};
    "Platforms" = @{"IncludePlatforms" = "All"}
  } `
  -GrantControls @{"BuiltInControls" = @("Block"); "Operator" = "OR"}

For Google Workspace:

# Disable less secure app access via Google Admin Console:
# Security > Security Settings > Less secure app access > OFF

Intermediate Fix: Implement Conditional Access

If you cannot disable device codes entirely (some apps need them), restrict them geographically:

# Azure AD Conditional Access: India-only device code flows
New-AzureADMSConditionalAccessPolicy `
  -DisplayName "Block Device Code from Outside India" `
  -State "Enabled" `
  -Conditions @{
    "Applications" = @{"IncludeApplications" = "All"};
    "Locations" = @{"IncludeLocations" = "IN"; "ExcludeLocations" = "Unknown"}
  } `
  -GrantControls @{"BuiltInControls" = @("Block")}

Advanced Fix: Implement Passwordless Authentication

The real solution is to eliminate passwords and device codes entirely. Migrate to FIDO2 security keys:

# Require FIDO2 keys for all users via Azure AD Authentication Methods Policy
$body = @{
  "id" = "Fido2"
  "state" = "enabled"
  "includeTargets" = @(@{"targetType" = "group"; "id" = "All_Users"})
}
Update-MgPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration `
  -AuthenticationMethodConfigurationId "Fido2" -BodyParameter $body

How Bachao.AI Detects This

This is exactly why I built Bachao.AI — to make enterprise-grade threat detection accessible to Indian SMBs who don't have security budgets in the crores.

Our platform specifically tests for device code vulnerabilities:

# What our VAPT scan checks:
curl -X POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode \
  -d "client_id=YOUR_CLIENT_ID&scope=https://graph.microsoft.com/.default" -v

# We analyze:
# 1. Is the device code endpoint accessible without restrictions?
# 2. Are device codes issued with long expiration windows?
# 3. Is there rate limiting on token polling?
# 4. Are device authorizations logged and monitored?
# 5. Are users trained to recognize device code prompts?

Our Cloud Security audit specifically checks for unrestricted device code flows, missing conditional access policies, overpermissioned OAuth2 applications, and impossible travel patterns in access logs.

According to DSCI's India cybersecurity framework, organizations that proactively test their authentication infrastructure are significantly better positioned to meet DPDP Act compliance obligations.

What You Should Do Right Now

1. Audit your authentication logs for the last 30 days. Look for device code authorizations from unknown locations or at unusual times.

1. Review OAuth2 applications with access to your cloud environment. Remove any that don't have a clear business purpose.

1. Enable conditional access policies that restrict device code flows to known locations and devices.

1. Train your team on what device codes are and when they should expect to see them (spoiler: almost never in normal work).

1. Book a free VAPT scan to identify if your authentication infrastructure has device code vulnerabilities. Book Your Free VAPT Scan.

Key Takeaways

1. Device code phishing is a sophisticated attack that bypasses traditional 2FA by using legitimate authentication mechanisms
2. Indian SMBs are particularly vulnerable because cloud adoption has outpaced security maturity
3. Detection is hard because device code compromises look legitimate to standard monitoring tools
4. Prevention is possible through conditional access policies, employee training, and passwordless authentication
5. VAPT and Cloud Security audits specifically detect device code vulnerabilities before attackers exploit them

Frequently Asked Questions

What is device code phishing? Device code phishing is an attack technique where criminals exploit OAuth2 device code authentication flows to bypass 2FA. Instead of stealing one-time passwords, attackers trick users into authorizing a device the attacker controls, using a legitimate code issued by the real authentication server. The compromise looks completely normal in authentication logs.

Why are Indian SMBs vulnerable to device code phishing attacks? Most Indian SMBs migrated to Microsoft 365 or Google Workspace in the last 2-3 years but haven't updated their security training to cover new attack vectors. Employees don't know what device codes are or when to expect them, making it easy for attackers to disguise malicious prompts as legitimate authentication requests.

How does device code phishing affect DPDP Act compliance in India? Under DPDP Act 2023, Indian businesses must implement "reasonable security measures." A device code compromise that exposes customer data triggers mandatory breach notification to CERT-In within 6 hours. Failure to detect the compromise — which averages 47 days — means you miss the notification window entirely, adding regulatory violations to the breach itself.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform by Dhisattva AI Pvt Ltd. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.