Adaptive MFA Under Fire: Why Risk Engines Don’t See the 7-Million-Device-Code Wave

9 min read

On April 23, 2026, Barracuda reported detecting seven million device-code phishing attacks over the previous four weeks. On April 6, Microsoft Security released a detailed analysis of an AI-driven device-code phishing campaign. Both reports highlight the same uncomfortable truth: adaptive MFA in Entra, Okta, and Duo is no longer the secure comfort zone it was marketed as on every security roadmap just twelve months ago. Risk engines relying on device fingerprinting, IP classification, and behavioral patterns are being circumvented in real time by AI-powered attackers-without requiring a single CVE to be exploited.

Why Risk Engines Are Systematically Failing

What is Adaptive MFA? Adaptive MFA is an authentication model that dynamically adjusts multi-factor authentication (MFA) requirements based on risk signals such as IP reputation, geolocation, device compliance, user behavior, and session context. The idea: users accessing from known devices and familiar networks encounter fewer MFA prompts, while high-risk sessions are secured with additional verification factors or session restrictions. This approach is implemented in Microsoft Entra ID (Identity Protection), Okta (Adaptive MFA), and Duo (Risk-Based Authentication), using similar telemetry components.

The current attack campaign exploits a fundamental flaw in this logic. Instead of using fake credential-harvesting pages, attackers now initiate a legitimate OAuth device code flow with Microsoft or another identity provider. The generated code is then sent to the victim via AI-powered phishing emails at precisely the right moment. Once the victim enters the code, they unknowingly authorize the attacker’s session. MFA has been successfully completed-not bypassed-but performed by the wrong person for the correct account.

Three characteristics that make this attack invisible to risk engines are built into the architecture. First: authentication and session origin are inherently decoupled in the device code flow by design. Second: the token is tied to a genuine MFA process, not stolen credentials. Third: the victim’s IP address appears normal to the risk engine because it originates from the user’s legitimate device-the one actually authorizing the session. The token is later transmitted to the attacker’s server, but that occurs during session use, not the authentication phase.

Microsoft Security Blog, April 6, 2026-In Plain Terms

The Microsoft blog post from April 6, 2026, documents a campaign featuring two technical advancements. First, dynamic device code generation: the phishing server generates the OAuth code only at the exact moment the victim clicks the link. This solves the problem of device codes expiring after 15 minutes, which has historically caused traditional email-based phishing waves to fail. Second, AI-powered personalization: the phishing email is tailored in real time to the victim’s role, context, and communication style. According to Barracuda, these two elements combined increase click-through rates in observed campaigns to 4.2 percent, compared to 0.4 percent for classic MFA fatigue attacks.

Key Metrics from the Current Threat Landscape

The difference between “security by design” and “security by incident” is roughly one week of sleep. Adaptive MFA doesn’t provide a sleeping pill when the attack simply bypasses the risk engine.

Three Countermeasures That Actually Work

Security teams that responded effectively over the last two quarters all followed the same sequence. No silver bullet-just three clearly defined measures that can be implemented within eight weeks in a typical DACH enterprise.

Measure 1: Restrictive Configuration of Device Code Flow

In Microsoft Entra ID, the Device Code Flow can be restricted via a Conditional Access policy. This policy blocks device code authentication for all user groups that don’t need it operationally (typically everyone except IoT administrators and specific offline service accounts). A practical approach involves two policies: “Block Device Code Flow for all users,” with an exception group for documented use cases. In Okta, this feature is called “Authentication Policies with Device Code Restriction.” For Duo users, the solution lies in the policy engine at the application level. This single measure eliminates approximately 60 percent of observed attacks, simply by removing the attack vector.

Measure 2: FIDO2 and Passkeys as the Primary Factor

Risk engines need signals that even AI-powered phishing emails can’t bypass. By 2026, FIDO2 hardware keys and platform passkeys are the only widely deployable class of authentication factors robust against both adversary-in-the-middle attacks and device code phishing. Rollout sequence in our client environments: Start with privileged roles (domain admins, IdP admins, finance), then enterprise roles with access to sensitive data, followed by broad deployment. Plan for twelve to eighteen months to fully roll out FIDO2 in organizations with over 5,000 employees, including procurement, logistics, helpdesk training, and Entra/Okta configuration.

Measure 3: Session Binding and Continuous Validation

Modern adaptive MFA platforms offer token binding and continuous access evaluation (CAE). In Entra ID, this feature is called “Continuous Access Evaluation” and continuously checks session tokens against risk signals. Okta delivers it as “Session Risk Signals.” Configuration requires three components: strict token lifetime (one hour instead of eight), CAE activation within Conditional Access policies, and session revoke automation that proactively terminates sessions upon detection of new IOCs (suspicious IP, new geographic change, impossible travel). Combined with measures one and two, this policy closes roughly 80 percent of real-world attacks.

What Risk Engines Need to Evaluate Differently Internally

The three measures above are operational. But behind them lies a deeper architectural question that will shape security designs over the next 18 months: Which risk signals remain valuable when authentication and session origin are decoupled? Our observation across client engagements: Risk engines are shifting logic away from “where the session originates” toward “how the token behaves post-authentication.” As a result, signals like token refresh frequency, OAuth app consent behavior, mailbox rule changes, and unusual Graph API calls become primary indicators, while IP and geo data are downgraded to secondary status.

A practical side effect: SIEM rules that currently trigger alerts based on “MFA successful” combined with “unknown IP” will generate more false positives, as IP signals lose predictive power. More expensive but effective rules correlate token lifecycle events with user activity patterns. Organizations investing in this now will demonstrably reduce their alert volume within six months.

The AI Dimension in Attacks: What Changed by 2024

A second point often oversimplified in current discussions: The AI component of attacks isn’t limited to personalized phishing emails-it also includes real-time coordination of the device code flow. In 2024, phishing campaigns were static enough that a blue team member could manually track the process. By 2026, code generation, email personalization, and token extraction occur in a millisecond chain. This drastically changes the response time security operations must realistically deliver. Teams still relying on manual approval loops between alert and session revocation will lose two to four critical hours during which the attacker may already be exporting mailboxes.

The architectural consequence: Session revocation must shift from a manual to a policy-driven decision. In Entra ID, this means enabling CAE with “revoke on risk detection”; in Okta, it involves integrating risk signals with system log subscriptions and automated response playbooks. Organizations we’ve seen succeed invested six to twelve weeks specifically in this automation, reducing dwell time to under 45 minutes.

What Matters in the First Incident Response Week

When a device code attack appears in your telemetry, three immediate actions are critical within the first 24 hours. First, revoke the session for the affected user account via Entra ID PowerShell or Okta API-token invalidation is more urgent than password reset, as the token is already active. Second, review audit logs from the past 30 days for mailbox access, OAuth app consent, and data exfiltration, which often begin within hours of token compromise. Third, conduct threat hunting for parallel campaigns: Device code attacks typically occur in waves, and a single victim is rarely the only one affected. Delaying full scope assessment until a week later means missing the window for effective incident containment.

Communication with Executive Board and Supervisory Board

An often underestimated aspect of a successful adaptive MFA bypass is upward communication. Executives expect a clear explanation of why existing MFA investments failed to stop attackers. The technical answer is straightforward but politically sensitive: The risk engine didn’t fail-it was bypassed. For communication, a concise three-part statement works best: What was the specific attack path, which control gap was exploited, and which three measures will close this gap by quarter’s end. Drifting into technical jargon at this moment erodes trust. Delivering a clear narrative, however, accelerates budget approval for FIDO2 rollout and CAE activation-faster than any regular budget cycle could allow.

For supervisory board communication, one additional element is essential: The lessons learned must be formally documented as risk mitigation evidence within NIS2 compliance records. Article 21 requires not only initial risk assessments but also continuous adjustments following incidents. An adaptive MFA bypass incident without documented corrective actions will be flagged in the next audit, impacting the organization’s overall compliance rating.

Final Pragmatism Check

For many organizations, adaptive MFA was a comfort upgrade from static MFA. By 2026, it’s clear: comfort and security are no longer synonymous. A well-configured adaptive MFA setup today is more restrictive, not more permissive, combining phishing-resistant factors with aggressive session validation. Organizations addressing this in the coming two quarters will move themselves out of the 7-million-record breach statistics. Those who wait are betting that AI-powered campaigns won’t target their company. That’s not a security strategy-it’s luck. And in today’s threat landscape, luck is the most expensive architectural component an organization can afford, especially when factoring in incident response costs and subsequent NIS2 remediation efforts.

Frequently Asked Questions

Is the Device Code Flow inherently insecure?

No. The flow was designed for specific use cases-such as shared-device authentication, IoT devices, and command-line tools without browser access-and remains appropriate in those contexts. The risk arises when it’s enabled broadly and without restrictions, making it exploitable as a phishing vector. The solution isn’t to disable the flow entirely, but to consciously restrict it to documented, legitimate use cases.

How can I detect an ongoing Device Code attack in the logs?

In Entra ID sign-in logs, Device Code events are explicitly marked (AuthenticationProtocol = DeviceCode). A KQL anomaly detection rule that flags unusual user populations triggering Device Code events can identify most campaigns within the first few hours. In Okta, the same information appears in the System Log under “login.device_code”. Crucially, the rule should trigger on new user cohorts, not just volume spikes.

Does geographic blocking help improve security?

Partially. Geo-blocking countries not in use reduces background noise, but attackers increasingly leverage residential proxy networks located within the same country as the victim. Therefore, geo-blocking doesn’t replace the previously mentioned countermeasures-it merely reduces alert fatigue during analysis.

How does NIS2 address Adaptive MFA circumvention?

Under Article 21, NIS2 requires appropriate measures against unauthorized access, documented risk assessments, and incident reporting. A successful Device Code campaign resulting in data exfiltration therefore falls under mandatory reporting obligations. Organizations must document their implemented MFA controls and known limitations to prepare for such scenarios. Failing to document a Device Code restriction policy puts an organization in a weak position during NIS2 audits.

What is the realistic cost of a FIDO2 rollout?

For a 5,000-employee organization, we estimate first-year costs between 150,000 and 280,000 Euro (covering hardware, IdP licenses, support integration, and training). Savings come from reduced phishing incidents, fewer helpdesk calls for MFA resets, and, in the best case, prevented breaches. A realistic ROI case rests on preventing two to three incidents per year, each potentially costing 150,000 Euro or more.

Should we completely disable the Device Code Flow?

For most organizations, the answer is yes-with exceptions for documented user groups. A well-defined exception matrix typically includes three to five use cases (e.g., administrator command-line tools, specific IoT deployments, service accounts with documented purposes). All other usage should be blocked via Conditional Access policies unless a clear business justification exists.

Network: Read more in Security Today

• Background on DORA 2.0 and the UK FCA policy of 16 April 2026
• Incident analysis of the Terrarium sandbox escape CVE-2026-5752 and the 72h Cohere AI update
• Compliance guide on the Microsoft ASP.NET Core CVE and the out-of-band 72-hour response plan

Header image source: Pexels / Tima Miroshnichenko (px:5380610)

About the author: Alec Chizhik

More articles by Alec Chizhik