Device code authentication was designed to provide seamless authentication for devices lacking standard login interfaces. However, this flow does not inherently tie authentication to a specific device, making it an attractive target for attackers who can extract access and refresh tokens through social engineering, allowing long-term access to accounts without needing to interact with the victim's device directly. Device code phishing exploits this vulnerability by tricking victims into entering a device code on a legitimate Microsoft authentication page, which can then be used to bypass multi-factor authentication requirements. Attackers use tools like TokenTactics to generate device codes and craft phishing lures that appear legitimate, often impersonating IT support or Microsoft Teams meetings. Once the victim enters the code, they are prompted to authenticate using their actual credentials and MFA, after which attackers intercept these tokens and can gain unauthorized access to the victim's Microsoft 365 environment. To protect against device code phishing, organizations should restrict or disable device code authentication where possible, implement conditional access policies and risk-based authentication, enhance detection and response to token theft, strengthen user awareness and phishing training, and harden email security and threat intelligence capabilities.