India, April 30 -- The Barracuda Device Code Phishing Report highlights a shift that feels subtle but is deeply concerning. Attackers are no longer relying on fake websites or stolen passwords. Instead, they are using legitimate login flows to trick users into granting access themselves. This changes the entire nature of phishing, making it harder to detect and even harder to stop.

At the centre of this is the misuse of OAuth 2.0 device code flow security, a feature originally designed for convenience. It allows users to sign in on one device by entering a code on another. But this same simplicity is now being exploited, turning a trusted process into a security gap.

One of the most striking findings is how attackers can bypass MFA with...