With Microsoft 365 now exceeding 450 million paid commercial seats, attackers have a massive incentive to target the authentication flows that keep employees connected across email, files, collaboration, and identity. Device code phishing is gaining traction because phishing-as-a-service kits now make it easier to convert a legitimate Microsoft login flow into session- and token-based account access.

Abnormal’s report on VENOM covers the full technical flow. At a high level, the attack works like this:

1. The attacker starts a device login request with Microsoft and gets a code tied to the attacker’s own session.

2. The victim receives a phishing lure, such as a shared document or file-access prompt, and is told to verify access with Microsoft.

3. The phishing page shows a code and sends the victim to a real Microsoft login page, so the process feels legitimate.

4. The victim enters the code and completes sign-in and MFA, believing they are verifying access to the document.

5. The attacker receives the victim’s access and refresh tokens because the code was tied to the attacker’s session from the beginning.

By the time the victim realizes something is wrong, the attacker may already have access and refresh tokens that can survive a password reset unless explicitly revoked.

See how Abnormal detects and contains device-code-driven account takeover. Schedule a personalized demo.

Device code phishing is hard to detect because a careful attacker can make every step look explainable on its own. The victim logs in on a real identity-provider page. The attacker can use a VPN to make the location look believable, and the browser or network details may not be unusual enough to stand out on their own. A defender looking at one event at a time may see a suspicious login, but not enough evidence to confirm compromise. The real signal comes from correlating what happens before, during, and after the login.

Abnormal approaches the detection problem by leveraging behavioral AI and correlating behavior across identity, email, and post-compromise activity instead of evaluating each event on its own. In a device code phishing case, the meaningful signal usually comes from correlated indicators: suspicious sign-in activity, unusual infrastructure, changes to authentication methods, suspicious mailbox behavior, and related activity elsewhere in the environment.

Abnormal behavioral e-mail protection helps guard against sophisticated phishing from compromised accounts, while Account Takeover monitors accounts for anomalous behavior. Account Takeover does this by confirming that a suspicious login is part of an active compromise through correlated behavioral signals associated with attacker activity.

• Correlates legitimate-looking authentication activity where access and tokens are ultimately used

• Surfaces follow-on attacker behavior such as rogue MFA registration, suspicious mailbox rule creation, and security settings access

• Adds scope and context so responders can see whether the activity is isolated or part of a broader attack pattern

Once the incident is confirmed, the priority shifts from investigation to containment. The goal is to break persistence, disrupt active access, and provide defenders with enough evidence to complete remediation.

• Signs the user out of active sessions to interrupt ongoing attacker access

• Supports account containment to help revoke persistent access in the identity provider; in Microsoft 365, disabling the account is a key step because refresh-token-based access can survive a password reset

• Resets the password as part of the containment workflow

• Provides incident context so responders can identify persistence mechanisms such as unauthorized MFA registration and complete remediation before closing the incident

New Account Takeover remediation capabilities give security teams more control over automated response based on case confidence. For Microsoft 365 device code phishing, teams can tailor session revocation, password reset, and account disablement workflows to support rapid containment when it matters most.

Join Abnormal’s July 17 ThreatStream webinar for a deeper look at VENOM and modern credential harvesting attacks.