MFA bypass attacks: how Device Code phishing steals sessions
Key Takeaways
- Device Code phishing lets attackers obtain persistent access without stealing credentials or triggering MFA alerts
- Traditional email defenses and credential monitoring often miss session token theft attacks
- Behavioral AI can detect unusual account activity that conventional security controls overlook
Multi-factor authentication remains one of the most recommended security controls, yet attackers have found ways around it. Device Code phishing exploits legitimate Microsoft authentication workflows, letting attackers gain persistent access to corporate accounts without stealing a single password. BleepingComputer will host a webinar on July 8, 2026, examining these techniques and how behavioral AI can detect what traditional defenses miss.
The webinar, titled "Stop chasing alerts: Automating email security with behavioral AI," features Dan Nickolaisen from Abnormal AI and Eric Danneker of Novant Health's Cyber Vigilance team. It targets security professionals dealing with a frustrating reality: their MFA deployments work exactly as designed, yet accounts still get compromised.
How Device Code phishing defeats MFA
The attack works by tricking users into completing a legitimate Microsoft authentication flow on behalf of the attacker. The user sees a real Microsoft login page, enters their real credentials, completes a real MFA challenge. Nothing appears suspicious. But the session token generated by that authentication goes to the attacker's device, not the user's.
This matters because session tokens grant ongoing access to email, cloud applications, and corporate resources. The attacker never needs to bypass MFA because the victim did the authentication for them. Traditional security controls looking for stolen credentials or brute-force attempts see nothing unusual.
FBI data shows business email compromise cost organizations $2.9 billion in 2023 alone. That figure explains why attackers invest effort in sophisticated techniques. The payoff is substantial, and session token theft provides access that persists far longer than a phished password would.
Why traditional email security fails here
Conventional email security tools focus on known malicious indicators: suspicious URLs, attachment types, sender reputation. Credential monitoring watches for leaked passwords on dark web forums. MFA protections assume attackers need the second factor. None of these controls address an attack where the user completes legitimate authentication on a legitimate Microsoft page.
Security teams often discover compromises only after damage occurs. An account sends unusual emails. Cloud storage shows unexpected access patterns. By then, attackers may have already exfiltrated data or initiated wire transfers. The investigation workload falls on already-stretched SOC analysts piecing together what happened.
What behavioral AI detects that rules miss
Abnormal AI's approach, which the webinar will detail, monitors account activity patterns rather than known attack signatures. An account suddenly accessed from an unusual location. Email forwarding rules created unexpectedly. Messages sent to contacts the user has never emailed before. These behavioral signals can indicate compromise even when the initial access appeared legitimate.
The company claims this approach reduces investigation workloads by automating the correlation of suspicious signals. Instead of analysts manually connecting dots across email logs, cloud access records, and authentication events, the system surfaces accounts exhibiting multiple anomalies for prioritized review.
The webinar promises to cover practical detection strategies, not just vendor pitches. Topics include how SOC teams can identify Device Code phishing attempts, what behavioral indicators suggest account takeover, and how automation can compress response times when compromises occur.
The broader shift in phishing tactics
Device Code phishing represents a larger trend. Attackers increasingly target authentication workflows rather than credentials. Adversary-in-the-middle (AiTM) tools like Evilginx and Modlishka intercept sessions in real time. Industry reports suggest AiTM attacks increased over 1,000% between 2022 and 2023.
The shift demands a corresponding change in defense thinking. MFA remains valuable because it blocks the vast majority of opportunistic attacks. But organizations handling sensitive data or high-value transactions need additional detection layers. Assuming MFA handles account security creates blind spots sophisticated attackers exploit.
What the July 8 webinar covers
- How Device Code phishing works and why it bypasses credential theft protections
- Why modern phishing and BEC attacks evade conventional email security
- Operational challenges these attacks create for SOC teams
- How behavioral AI identifies suspicious account activity
- Practical approaches for reducing response times
Registration is open through BleepingComputer's website. The live session runs July 8, 2026.
Logicity's Take
The uncomfortable truth is that many security teams still treat MFA as the end of the account protection conversation. It's not. Session token theft has been a known attack vector for years, but the tooling to execute it at scale has matured faster than most organizations' detection capabilities. The real question this webinar should answer: what's the cost-benefit of behavioral AI solutions versus simpler controls like conditional access policies and token lifetime restrictions? Organizations need defense-in-depth, but they also need to know which layers deliver the most protection per dollar spent.
Frequently Asked Questions
Can MFA be bypassed without stealing the password?
Yes. Attacks like Device Code phishing trick users into completing legitimate authentication flows that deliver session tokens to attackers. The user completes real MFA, but the resulting access goes to the wrong party.
What is Device Code phishing?
Device Code phishing abuses Microsoft's device authorization flow, originally designed for devices without keyboards. Attackers trick users into entering a code on a legitimate Microsoft page, which authorizes the attacker's device to access the victim's account.
How can organizations detect session token theft?
Behavioral analysis that monitors for unusual account activity, such as access from new locations, unexpected email forwarding rules, or communication with unfamiliar contacts, can identify compromises even when the initial access appeared legitimate.
Is MFA still worth implementing?
Absolutely. MFA blocks the overwhelming majority of account takeover attempts. But it shouldn't be the only layer of account protection, especially for organizations handling sensitive data or financial transactions.
Need Help Implementing This?
Logicity works with security teams evaluating behavioral AI solutions and detection strategies for modern phishing attacks. Contact our team to discuss how your organization can strengthen account protection beyond MFA.
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
