Ensure the device code sign-in flow is blocked
Why This Matters
Attackers have been actively exploiting the device code authentication flow in phishing campaigns, most notably Storm-2372 using "device code phishing" since August 2024. This attack tricks users into logging into productivity applications on a separate device, allowing threat actors to capture authentication tokens and gain unauthorized access to accounts. Blocking the device code sign-in flow reduces exposure to this growing attack vector and prevents token theft from input-constrained devices outside your control.
What Aether365 Checks
Aether365 verifies that your Microsoft Entra ID tenant has a Conditional Access policy configured to block the device code authentication flow. This check appears in the Aether365 dashboard under entra-id checks and flags the setting as noncompliant if the flow is not explicitly blocked.