What’s changed
Device code phishing is an increasingly abused authentication technique where attackers trick users into entering a legitimate device login code, granting adversaries access without stealing credentials. This method has surged in adoption, with activity increasing approximately 37x over the past year.
Recent campaigns are more effective due to the use of AI-generated phishing lures, tailored to individual users and roles. Attackers are also leveraging commodity cloud infrastructure to rapidly deploy and rotate attack environments, allowing activity to blend into normal SaaS authentication patterns and evade traditional detection controls.
Why partners should care
- Multi-factor authentication (MFA) alone isn’t enough: This technique abuses trusted authentication flows rather than bypassing MFA directly
- Higher success rates: AI-driven, role-based phishing increases user trust and interaction
- Immediate impact: Tokens can be used instantly for email access, persistence, and data exfiltration
- High-value targeting: Finance, executive, and privileged roles are prioritized early in attack chains
Bottom line: Attackers are exploiting gaps in identity policy, and device code flows are a growing entry point.
Our approach: Policy first protection
ConnectWise SaaS Security builds on our existing conditional access (CA) foundation by expanding baseline policies and introducing targeted controls for emerging identity threats, such as device code phishing.
This includes a new conditional access policy specifically designed to restrict and monitor device code authentication flows, helping partners quickly reduce exposure without needing to design or manage these policies manually.
Authentication flows are explicitly governed, monitored, and restricted, closing a key gap commonly left open in default configurations.
Key protections delivered
Device code flow control
- Block device code authentication by default
- Allow only where explicitly required
- Enforce application and user-based exceptions
- Align to Microsoft guidance to restrict device code flow wherever possible
Risk-based access enforcement
- Require phishing-resistant authentication (FIDO2, passkeys, Authenticator) for elevated-risk sign-ins
- Block access for medium- and high-risk sign-ins where appropriate
- Require password reset and remediation for high-risk users
- Enforce access decisions based on user and sign-in risk signals
Session control and token protection
- Enforce reauthentication for elevated-risk sessions
- Revoke active sessions and refresh tokens on suspected compromise
- Support rapid containment, including account disablement when required
Identity hardening
- Enforce phishing-resistant authentication methods
- Reduce reliance on SMS and voice-based MFA
- Block legacy authentication protocols to prevent policy bypass
Identity monitoring and visibility
- Track user risk and risky sign-ins
- Detect anomalous authentication patterns across tenants
Privilege and access control
- Enforce least privilege across roles
- Audit privileged account activity
- Segment and protect high-privilege identities
What this enables for partners
- Standardized identity protection at scale across all tenants
- Reduced reliance on reactive investigation through built-in controls
- Improved customer posture aligned to Microsoft best practices
- Stronger defense against token-based and session hijacking attacks
What partners should do now
- Review existing conditional access policies to identify where device code authentication is not restricted
- Enable ConnectWise SaaS Security baseline policies to gain immediate protection
- Validate and define exceptions for approved applications and user groups
- Prioritize rollout for high-risk tenants and privileged users
Built for what’s next
We are continuing to invest in identity-first protection across SaaS environments, including:
- Enhanced identity posture management across Microsoft 365
- Simplified conditional access policy orchestration
- Automated misconfiguration detection and remediation
- Expanded risk scoring aligned to compliance frameworks (NIS2, NIST, SOC2)
- Greater visibility across identity, SaaS, and data attack paths
ConnectWise SaaS Security helps partners close identity gaps with policy-driven protection, continuous monitoring, and scalable enforcement, reducing risk without adding operational overhead.
