AU
Device Code Phishing Lives in the Log Table You Don’t Ingest
Device code phishing produces a clean, MFA-satisfied sign-in on Microsoft’s own infrastructure — and most of the telemetry that betrays it sits in the Entra non-interactive log table teams drop to save money. Here’s where the detection actually lives, how the threshold flips between a Windows shop and a dev-heavy tenant, and the persistence artifacts the closeout always skips.