How Hackers Are Defeating MFA in 2026 — And How to Stop Them

TL;DR

• Device code phishing detections surged 37 times in 2026, and 18 active phishing kits now include this capability out of the box.
• Attackers bypass MFA without ever stealing your password — they steal your authenticated session instead.
• Standard SMS and app-based MFA no longer stops this attack. Phishing-resistant MFA (passkeys, FIDO2 hardware keys) and Conditional Access policies do.

Multi-factor authentication was supposed to be the answer. Add a second factor — a code from your phone, a push notification, an authenticator app — and even if attackers steal your password, they can't get in. For years, that held true. In 2026, it no longer does.

Device code phishing has changed the game. It does not try to steal your password. It does not try to intercept your one-time code. Instead, it tricks you into handing over a fully authenticated session — and MFA never even gets a chance to intervene.

---

Why MFA Alone Is No Longer Enough

MFA was designed to protect credentials. The assumption: if an attacker gets your password, a second factor stops them.

Device code phishing sidesteps this entirely. It abuses a legitimate authentication flow built into Microsoft 365, Google Workspace, and other enterprise platforms — the device authorization grant — and turns it against you. No credentials change hands. No codes are intercepted. Your own browser does the authenticating, and the attacker receives the token your session generates.

This is not a theoretical threat. Push Security and BleepingComputer documented a 37x spike in device code phishing detections in the first half of 2026. Eighteen distinct phishing kits now ship with device code attack capabilities as a standard feature. This technique, once used only by nation-state threat actors, is now commodity tooling available to anyone willing to pay for a kit.

Traditional MFA — SMS codes, TOTP apps like Google Authenticator or Microsoft Authenticator push notifications — provides zero protection against this class of attack.

---

What Is Device Code Phishing? (Plain English)

To understand the attack, you need to understand what a "device code flow" is.

The device code flow is a legitimate OAuth 2.0 feature. It was designed for devices that cannot open a browser — think smart TVs, printers, or CLI tools — that need to authenticate a user. The device displays a short code and a URL. You go to that URL on your phone or laptop, log in normally (including MFA), and the device receives a token confirming you authenticated.

Device code phishing hijacks this flow. Instead of a TV or printer initiating the request, an attacker does. They generate a device code using Microsoft's or Google's own authentication infrastructure, then send you the code and URL disguised as a routine IT notification, a shared document link, or a Microsoft Teams alert.

You visit the legitimate Microsoft or Google login page. You log in. You complete your MFA challenge. Everything looks normal — because it is normal. The only difference: you just handed the attacker a valid, long-lived access token for your account. They never touched your password or your MFA code.

---

Step-by-Step: How the Attack Works

1. The attacker initiates a device code request. Using Microsoft's or Google's own authentication endpoint, they generate a user code (e.g., ABCD-1234) and a verification URL (microsoft.com/devicelogin).

2. A phishing message is sent to the target. This arrives as an email, Teams message, or SMS impersonating IT support, a document-sharing notification, or a security alert. The message includes the user code and a link to the verification URL.

3. The target visits the legitimate login page. Because the URL is genuinely microsoft.com or accounts.google.com, browser security warnings do not fire. There is no fake domain to spot.

4. The target authenticates — including completing MFA. They enter the code, sign in with their real credentials, and approve the MFA prompt. Everything looks legitimate.

5. The attacker receives a valid access token. The OAuth flow completes from the attacker's device. They now hold a session token that grants full access to the victim's account — email, files, calendar, Teams — without needing the password or any future MFA prompt.

6. Persistence is established. The attacker registers their own device or application in the tenant, ensuring continued access even if the victim changes their password.

---

Why SMBs Using Microsoft 365 and Google Workspace Are at Highest Risk

Enterprise security teams with dedicated SOC analysts monitor for anomalous token issuance and unusual sign-in locations. Most SMBs do not have this coverage.

Device code phishing is particularly effective against SMBs for several reasons:

• No dedicated security staff. Without someone actively watching authentication logs, a stolen token can go undetected for weeks.
• Over-reliance on MFA as a silver bullet. Many SMBs enabled MFA and assumed the job was done. This attack proves otherwise.
• Unfamiliarity with OAuth flows. End users have no reason to be suspicious of a Microsoft login page that is genuinely hosted on microsoft.com.
• Broad permissions by default. In smaller Microsoft 365 tenants, users often have access to sensitive data across the organization with no segmentation. One compromised account can mean access to everything.
• Remote and hybrid work. Employees logging in from personal devices and home networks have normalised unusual sign-in patterns, making anomaly detection harder.

If your business runs Microsoft 365 or Google Workspace and your security posture ends at "we have MFA turned on," you are exposed.

---

6 Defenses Every SMB Should Implement Today

1. Deploy Phishing-Resistant MFA

Replace SMS codes, TOTP apps, and push notifications with FIDO2 hardware security keys (e.g., YubiKey) or passkeys. These are cryptographically bound to the legitimate domain and cannot be used to authenticate to an attacker's device code session. This is the single most effective control.

2. Disable the Device Code Flow for Your Tenant

If your organization does not use devices that require the device code flow (most SMBs do not), disable it entirely. In Microsoft Entra ID (formerly Azure AD), this is done through Conditional Access policies — block the urn:ietf:params:oauth:grant-type:device_code grant type for all users.

3. Enable Conditional Access with Named Locations and Device Compliance

Require that access tokens can only be used from compliant, managed devices and known locations. A token stolen and used from an attacker's server in an unexpected country should trigger an automatic block.

4. Monitor for Anomalous Token Usage

Enable Microsoft Entra ID sign-in logs and configure alerts for device code authentications, especially those followed by access from an IP or country not associated with the user. Microsoft Defender for Identity and Microsoft Sentinel both have detection rules for this.

5. Train Staff to Recognise Device Code Lures

The phishing messages that deliver device codes do not look like classic phishing. They mimic IT notifications and document-sharing alerts. Security awareness training in 2026 must include device code phishing scenarios — not just "watch out for strange links."

6. Enforce Token Lifetime Policies

By default, Microsoft 365 access tokens are valid for up to one hour, and refresh tokens can last much longer. Shorten refresh token lifetimes and require re-authentication for sensitive operations. This limits the window an attacker has with a stolen token.

---

Key Takeaways

• Device code phishing bypasses MFA completely — no password or OTP is stolen.
• Detections have surged 37x in 2026; this is no longer a niche threat.
• The attack exploits a legitimate OAuth flow built into Microsoft and Google platforms.
• Standard MFA (SMS, TOTP, push) does not protect against this attack class.
• Phishing-resistant MFA (FIDO2/passkeys) and disabling device code flow are the primary defenses.
• SMBs are disproportionately at risk due to limited monitoring and broad default permissions.

---

At Lasetech, We Define Robust Authentication Security

At Lasetech, we define modern authentication security as layered, verified, and continuously monitored — not a checkbox exercise. We work with SMBs across Istanbul and Turkey to assess their Microsoft 365 and Google Workspace configurations, identify exposure to AiTM and device code phishing, deploy phishing-resistant MFA, and build Conditional Access policies that actually block modern attack techniques. Security that worked in 2022 does not work in 2026. Our job is to make sure your defenses keep pace with the threats targeting your business right now.

For more on how phishing attacks work at the fundamental level, see our guide to what phishing is and how it works. To understand how attackers exploit human behaviour rather than technology, read our post on social engineering and the human factor.

---

Frequently Asked Questions

Does enabling MFA on Microsoft 365 protect against device code phishing?

No. Standard MFA — including SMS, TOTP codes, and Microsoft Authenticator push notifications — does not protect against device code phishing. The attack completes a legitimate MFA challenge on your behalf and then steals the resulting access token. Only phishing-resistant MFA (FIDO2 keys or passkeys) prevents this, because authentication is cryptographically bound to the real service and cannot be replayed from an attacker's session.

How do I know if my Microsoft 365 tenant has been compromised via device code phishing?

Check your Microsoft Entra ID sign-in logs for device code grant type authentications (urn:ietf:params:oauth:grant-type:device_code), especially any that are followed by access from unusual IP addresses or countries. Also review the Unified Audit Log for new OAuth app registrations or device registrations you do not recognise. If you do not have log monitoring in place, contact a managed security provider.

Is Google Workspace affected too?

Yes. Google supports a similar device authorization flow for Google accounts. While most documented campaigns in 2026 have targeted Microsoft 365 tenants, Google Workspace users are not immune. The same defenses apply: phishing-resistant MFA, device trust policies, and monitoring of OAuth token grants.

Can my antivirus or email filter block device code phishing attacks?

Not reliably. The phishing messages often contain links to genuinely legitimate Microsoft or Google URLs — there is no malicious domain to block. Antivirus does not inspect OAuth flows. Email filters may catch some lures if they match known templates, but dedicated device code phishing messages designed to impersonate internal IT communications will bypass most filters. Human awareness and authentication-layer controls are the primary defenses.

---

Ready to assess your organisation's exposure to MFA bypass attacks?

Contact Lasetech for a security review →