Risk Register — Device Code Authentication Abuse

A practical risk register template covering OAuth 2.0 Device Code phishing exposure in Microsoft 365 environments. Based on active threat intelligence from Storm-2372, TA2723, and the EvilTokens PhaaS ecosystem. See the companion article: Device Code Phishing — The Attack That Makes MFA Irrelevant

Likelihood × Impact Reference Matrix
Low ImpactMedium ImpactHigh ImpactCritical Impact
High LikelihoodMediumHighCriticalCritical
Medium LikelihoodLowMediumHighCritical
Low LikelihoodLowLowMediumHigh
Very Low LikelihoodLowLowLowMedium
Risk Entries
IAM-001 Device Code Flow Abuse / OAuth Token Hijacking INHERENT: CRITICAL RESIDUAL: HIGH

Attacker initiates OAuth 2.0 Device Authorization Flow against the tenant IdP, socially engineers a user into entering the resulting user_code, and collects a valid Bearer + refresh token without stealing credentials or bypassing MFA.

High — technique is commodity-level, available via PhaaS kits, actively targeting M365 tenants globally as of Q1 2026.

Critical — full account access, persistent via refresh token, survives password resets without explicit revocation.

MFA enforced, Conditional Access policies in place (general). Device Code Flow not explicitly restricted.

T-01 Configure Conditional Access Authentication Flows policy to block Device Code Flow tenant-wide.
T-02 If Device Code Flow is required for specific use cases, restrict via Named Locations (trusted IPs) and approved user groups only.
T-03 Deploy user awareness module: "Any code prompt you didn't initiate is suspicious — report it immediately."
GV.RM-01 ID.RA-01 PR.AA-05 DE.CM-01 RS.MI-02
IAM-002 Refresh Token Persistence INHERENT: HIGH RESIDUAL: MEDIUM

Following a successful device code phishing attack, the attacker holds a long-lived refresh token providing persistent access. Standard remediation (password reset, MFA reset) does not invalidate refresh tokens without explicit revocation.

Medium — contingent on successful IAM-001 exploitation. Dwell time risk is high once access is obtained.

High — persistent access survives common remediation steps, extending attacker dwell time significantly.

Account monitoring, periodic access reviews. Token revocation procedure not formally documented in IR runbook.

T-01 Document and test token revocation: Entra ID → Users → Revoke Sessions + invalidate refresh tokens via revokeSignInSessions API.
T-02 Include token revocation as a mandatory step in the identity compromise IR runbook.
T-03 Alert on refresh token use from new device fingerprint or geographic location post-revocation.
PR.AA-05 DE.CM-09 RS.MI-02 RC.RP-01
IAM-003 Privileged Account Takeover via First-Party App Abuse INHERENT: CRITICAL RESIDUAL: HIGH

Attackers target privileged accounts using first-party Microsoft Client IDs (e.g., Microsoft Authentication Broker). These apps are pre-trusted in every Entra tenant and suppress the OAuth consent prompt, removing a key visual indicator for the victim.

Medium — requires targeted reconnaissance but nation-state and financially motivated actors both demonstrate this TTPs.

Critical — privileged account compromise enables lateral movement, data exfiltration, and persistent backdoor creation.

PIM enforced, MFA on admin accounts, limited standing admin access. Device Code Flow not scoped by role.

T-01 Apply Conditional Access Device Code Flow block scoped specifically to privileged/admin roles as highest priority implementation.
T-02 Monitor Entra ID sign-in logs for Device Code authentication events on admin accounts — generate critical alert immediately.
T-03 Conduct tabletop exercise simulating privileged account compromise via this vector to validate IR readiness.
GV.RM-02 ID.RA-04 PR.AA-02 PR.AA-05 DE.CM-01 RS.CO-02
SEC-011 Insufficient Detection Coverage for OAuth Abuse Patterns INHERENT: HIGH RESIDUAL: MEDIUM

SIEM rules are tuned for credential-based attacks. OAuth token abuse — Device Code Flow, token replay, refresh token persistence — may not generate alerts under current detection logic.

High — detection gap is common across most organizations. Credential-attack tuning is well understood; authorization-layer abuse is not.

High — undetected compromise enables extended dwell time and secondary objectives before discovery.

SIEM deployed, general sign-in alerting configured. No specific rules for deviceCode auth method or OAuth abuse patterns.

T-01 Write SIEM detection rule for deviceCode authentication method in Entra ID sign-in logs.
T-02 Alert on deviceCode auth events for privileged accounts — treat as critical priority, page on-call immediately.
T-03 Alert on refresh token use from new device fingerprint or geographic location.
T-04 Review first-party app authentication events for anomalous patterns — client IDs, token issuance times, IP correlation.
T-05 Accept residual risk for low-privilege accounts where Device Code Flow is blocked via Conditional Access (risk reduced to low).
ID.RA-01 DE.CM-01 DE.CM-09 DE.AE-02 RS.AN-03
NIST CSF 2.0 Full Mapping
FunctionSubcategoryRelevance
GOVERNGV.RM-01, GV.RM-02Risk tolerance and context established for identity and authorization attack vectors
IDENTIFYID.RA-01, ID.RA-04Threat intelligence on device code phishing actors (Storm-2372, TA2723, EvilTokens); risk to privileged assets identified
PROTECTPR.AA-02, PR.AA-05Conditional Access blocking Device Code Flow; privileged account access controls; token lifecycle management
DETECTDE.CM-01, DE.CM-09, DE.AE-02SIEM rules for deviceCode auth events; refresh token anomaly detection; OAuth abuse pattern alerting
RESPONDRS.MI-02, RS.AN-03, RS.CO-02Token revocation runbook; IR analysis for OAuth abuse; communications for privileged account compromise events

This register is a reusable template. Adjust likelihood and impact scores to your organization's environment and control baseline. For the full technical breakdown of this attack vector, see the companion article.

Last updated: June 2, 2026 — CyberGrind