OAuth device code phishing (RFC 8628 abuse) bypasses MFA and delivers 90-day M365 refresh tokens to attackers without a password. This guide covers how to disable device authorization grant in Entra ID, Keycloak, and Auth0, plus SIEM detection rules for Sentinel and Splunk.

https://iamdevbox.com/posts/oauth-device-code-flow-security-prevent-device-code-phishing/?utm_source=mastodon&utm_medium=social&utm_campaign=blog_post

#OAuth #Security #Phishing #RFC8628 #EntraID