Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
Recent findings from Barracuda examine the use of device code authentication in cyber attacks, where the technique is used to gain persistent access to services such as Microsoft 365 and Entra ID. Barracuda reports 7 million device code phishing attempts over a four-week period, with the activity associated with phishing-as-a-service tools such as the EvilTokens kit.
Device code authentication allows users to sign in on one device by entering a short code on another device, often used for devices with limited interfaces such as TVs, printers, or command line interface (CLI) tools. Device code phishing involves attackers encouraging users to enter a valid sign-in code on a legitimate login page, which results in authorising the attacker’s device.
In this method, attackers request a legitimate device code from Microsoft and use it in phishing messages to prompt users to authenticate via a real login page. Once authentication is completed, OAuth access and refresh tokens are issued, which can be used by the attacker.
Comparison with traditional phishing approaches includes:
Device code phishing can enable access to cloud-based email and identity systems without password theft or triggering some traditional alerting mechanisms.
Barracuda notes that this technique is being used in phishing-as-a-service models, which can increase the scale of such activity. The report also highlights mitigation measures including email filtering, identity protection controls, monitoring, restricting device authorisation flows, and user awareness around entering verification codes only in trusted contexts.
