Device code phishing: the new face of Microsoft 365 account takeover in healthcare

Attackers have a working method to bypass multifactor authentication in Microsoft 365 without ever stealing a password. It's called device code phishing, and two major email security vendors published warnings about it within five days of each other in May 2026.

Healthcare is unusually exposed: 53% of email-related healthcare breaches in 2025 happened on Microsoft 365, up from 43% in 2024, according to the Paubox 2026 Healthcare Email Security Report. Many of those organizations still treat MFA as the finish line. Device code phishing is what attackers do once that finish line moves.

What device code phishing is

Device code phishing abuses a legitimate Microsoft authentication flow called the OAuth 2.0 device authorization grant. The flow was designed for devices that don't have a keyboard, like smart TVs, conference room cameras, and printers. A device shows a short code on its screen, the user types that code into a browser on their phone or laptop, and the user's signed-in session is granted to the device.

The full mechanics are documented in RFC 8628, the IETF specification that defines the device authorization grant. Microsoft 365 implements this flow as part of its Entra ID identity platform.

The attack works like this:

• An attacker initiates a device code request against the target's Microsoft 365 tenant.

• Microsoft returns a short user code, typically eight characters.

• The attacker sends the target an email, a Teams message, or a calendar invite that includes the code and a link to the legitimate Microsoft login page.

• The lure usually tells the target this is part of an IT setup, a security check, or a vendor onboarding task.

• The target enters the code at the real Microsoft URL and signs in normally, including any MFA prompt.

• At that exact moment, Microsoft issues the session token to the attacker's device, not the target's.

The target sees a legitimate Microsoft sign-in page. The target completes a normal MFA challenge. Nothing on the target's screen looks wrong. The attacker walks away with a valid access token bound to the target's identity.

Why standard MFA does not stop it

Traditional MFA protects against credential theft. An attacker who steals a password still has to clear the second factor, and most second factors are tied to a physical device the attacker does not have.

Device code phishing steals the session that gets created after credentials are validated. The attacker never sees the password and never needs to bypass MFA, because the target performs the MFA. The session token is portable, and Microsoft has no way to know the device that initiated the request is not the device the user thinks they are signing in to.

Session-token theft has become the dominant credential attack pattern. The KnowBe4 Phishing Threat Trends Report Vol. 7 found that adversary-in-the-middle reverse-proxy attacks, a related session-stealing technique, surged 139.22% from September 2025 to March 2026. The share of link-based phishing carrying a reverse-proxy payload tripled in 2025, rising from 7.8% in January to 23.7% in December. Device code phishing fits this pattern. The attacker is after what the password protects.

Why healthcare gets hit harder

Three structural realities make device code phishing more dangerous for healthcare organizations than for most other industries.

Microsoft 365 concentration. 53% of email-related healthcare breaches in 2025 occurred on Microsoft 365, according to Paubox research. Healthcare has consolidated on the platform over the past five years, and the breach data has followed. Every device code attack ships against this concentration.

Email is the front door. 58% of healthcare organizations were breached through email in the past 24 months, and 23% were breached more than once, according to the Healthcare Email Security Maturity Index 2026. Device code phishing is delivered by email, by Teams message, by calendar invite.

The encryption gap masks early signals. Paubox's 2026 Healthcare Email Securitiy report found that 74% of breached healthcare domains had ineffective DMARC protection in 2025, up from 65% in 2024. Domain authentication is one of the early warning systems for impersonation-based lures, and most breached healthcare organizations do not have it working. The lure that delivers the device code request often impersonates a vendor, an IT admin, or a HITRUST auditor. Without DMARC enforcement, the spoofed sender renders normally in the inbox.

Layered on top: 64% of healthcare organizations have been hit by an AI-generated email attack, but only 38% have AI-based defenses fully deployed. Device code lures are increasingly AI-generated, with realistic tone, accurate org-chart references, and context-specific urgency.

The result is a target environment with high platform concentration, weak inbound filtering, and a known-effective delivery channel.

How to detect device code phishing in healthcare environments

There is no single control that blocks device code phishing. Detection and response have to happen at three layers.

At the email layer. Block the lure before it reaches the user. Most device code lures share telltale characteristics: an inbound message from an external or recently-impersonated sender, a short alphanumeric code in the body or attachment, and a Microsoft login URL. AI-powered inbound email security can flag these messages on tone and intent, not just sender reputation. This is the layer where Paubox Email Suite Plus operates: it analyzes the behavior and content of the message before the device code prompt ever reaches the target.

At the identity layer. Create conditional access policies in Microsoft Entra ID to block device code grants from device types and locations that should not be making them. A clinician's workstation has no reason to initiate a device code flow. Most healthcare orgs can disable the device code grant entirely for users who don't need it, then allow exceptions for the few who do. Microsoft publishes guidance on conditional access policies that target the device code flow specifically.

At the response layer. Monitor for risky sign-ins, unusual inbox rule changes, and outbound mail from internal accounts to external recipients. This is how attackers maintain hidden persistence after a successful device code grant. They are also the highest-signal indicator that a takeover has already happened.

Pair detection with practiced response: revoke active sessions, force password reset, invalidate refresh tokens. Microsoft Entra ID supports session revocation through PowerShell and the Microsoft Graph API.

Where Paubox fits

Paubox Email Suite Plus uses generative AI to detect phishing, spoofing, and business email compromise, analyzing tone, sender behavior, and message intent. The device code phishing lure is exactly the kind of message that surfaces on those signals: spoofed sender, urgent IT framing, and a short code embedded in a Microsoft-branded layout.

For organizations setting up HIPAA compliant email as part of a broader account takeover defense, the inbound layer is the most effective place to invest. Stopping the lure means there is no device code to enter, no token to steal, and no breach notification letter to write.

What to do this week

If you run Microsoft 365 in a healthcare environment, do these three things before the end of the week:

1. Audit who in your org needs the device code authentication flow. For everyone else, disable it through Entra ID conditional access. Most healthcare orgs find the population of legitimate users is small.
2. Verify your DMARC configuration is set to a real enforcement policy (quarantine or reject), not just monitoring (none). Paubox research shows 74% of breached domains were not enforcing.
3. Set an alert on inbox rule creation events that forward externally or auto-delete security folder messages. These are the loudest signals of a successful account takeover.

The Q1 2026 healthcare breach data already shows what happens when these layers are missing. Patient Protect's State of Compliance Q1 2026 report tracked 207 unique large healthcare breaches in the first quarter alone, affecting roughly 15.9 million individuals. Most of those breaches started with an inbound email that should have been caught.

Frequently asked questions

Does MFA prevent device code phishing?

Standard MFA does not prevent it. The target performs MFA correctly during the attack. The attacker receives the session token after MFA completes.

Is device code phishing a Microsoft 365 problem only?

No. Any platform that implements the OAuth 2.0 device authorization grant flow is potentially affected. Google Workspace supports the flow, and so do many SaaS applications. Microsoft 365 is the most-targeted environment in healthcare because of platform concentration, but the technique is portable.

What should I do if I think a user has already entered a device code from a phishing email?

Treat it as an active account takeover. Revoke all sessions for the user in Entra ID, force a password reset, and invalidate refresh tokens. Then audit inbox rules, sent mail from the account in the past 72 hours, and any cloud storage access. Inbox forwarding rules and outbound phishing to other users are the two earliest signs of an active takeover.

Why are vendors publishing about this now?

Device code phishing has been in researcher literature for several years. The technique moved into mainstream attacker tooling in late 2025, and detection telemetry across the email security industry began flagging it heavily in Q1 2026. Multiple email security vendors published warnings in May 2026, which is the signal that the technique has crossed from research curiosity to operational attacker playbook.