Device-code phishing surged through 2025 because it sidesteps MFA. The fix is a Conditional Access policy, and the hard part is the legacy apps it must not break.
Draft outline · Security / UX tension lensOAuth device-code phishing rose sharply through 2025, hitting hundreds of Microsoft 365 organisations (Storm-2372 among the actors) by tricking users into authorising attacker-controlled apps, no password or MFA prompt required. Microsoft's own guidance is a Conditional Access policy to block the flow. The engineering challenge is doing that without locking out legacy and headless apps.
Primary source describing the device-code technique and the Conditional Access mitigation.
Independent reporting on the scale and targets of the 2025 campaigns.
Security-led but framed around the real tension a practitioner faces: controls that users and old apps route around are worthless. It shows we sweat the rollout, which is where identity projects actually fail.