Bypass Record
Valid Accounts × Microsoft Entra ID Conditional Access, Token Protection
A publicly-reported instance of Valid Accounts bypassing Microsoft Entra ID Conditional Access, Token Protection, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
The attacker uses a modified version of TokenTactics to send a device code phishing request with a spoofed device type (OS/2 Warp). When the victim completes the authentication, the token protection policy fails to block the request because the spoofed device type does not match the expected Windows device state, allowing the attacker to receive a valid bearer token and replay it to access Microsoft Graph and other services.
Detection & mitigation
Monitor Entra ID sign-in logs for anomalous device types (e.g., 'OS/2 Warp') and impossible travel or unfamiliar IPs during device code authentication flows. Mitigate by enforcing compliant device requirements and enabling risk-based conditional access policies alongside token protection.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.