Device Code Phishing Attacks Have Surged 37x — Here's How to Stop Them

Introduction

A stealthy OAuth phishing technique that bypasses password-based defenses has exploded in 2026 — surging 37 times compared to last year. Device code phishing now has at least 11 active "phishing-as-a-service" kits selling access to it, making it one of the fastest-growing account takeover methods on the internet.

What Happened

Researchers at Push Security tracked a dramatic spike in device code phishing attacks throughout early 2026. By April, the volume had grown 37.5x year-over-year, driven largely by a phishing-as-a-service (PhaaS) platform called EvilTokens, which packages the attack into a ready-to-use kit for low-skilled attackers.

The technique abuses the OAuth 2.0 Device Authorization Grant — a legitimate flow designed for devices that can't easily accept user input (smart TVs, printers, IoT devices). Attackers request a device authorization code from Microsoft or another provider, then send it to the victim under a convincing pretext (a DocuSign request, a SharePoint file share, an Adobe document). The victim enters the code on a real login page — and unknowingly hands the attacker a valid access token that doesn't expire quickly.

No passwords stolen. No MFA bypassed. Just a code you were tricked into entering.

Why It Matters

This attack is particularly dangerous because it:

  • Bypasses MFA — the victim authenticates legitimately; the attacker receives the session token
  • Uses real login pages — no fake phishing sites to detect
  • Generates long-lived tokens — refresh tokens can persist for weeks or months
  • Scales cheaply — multiple PhaaS kits now offer this as a subscription service

Beyond EvilTokens, researchers identified 10 other active kits — VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE — each with different lures and hosting infrastructure. Even if law enforcement shuts down one, others are ready to fill the gap.

Who Is Affected

Anyone using cloud identity providers — primarily Microsoft 365 / Azure AD users — is a target. Both state-sponsored threat actors and financially-motivated cybercriminals have adopted this technique. Enterprises using SharePoint, Teams, OneDrive, and Office 365 are especially at risk due to the realistic SaaS-themed lures in use.

How to Protect Yourself

Block the flow at the policy level:

# Azure AD Conditional Access — disable device code flow for most users
# In Entra ID: Conditional Access → Authentication flows → Device code flow → Block

Monitor your logs for abuse:

# Look for device code grant events in Azure AD sign-in logs
# Filter: authenticationProtocol eq 'deviceCode'

User-level mitigations: - Never enter a code you didn't personally initiate by starting a device setup yourself - If someone sends you a "device code" via email, Teams, or Slack — assume it's an attack - IT teams: audit which apps in your tenant are permitted to use device code flows

Detection signals to watch: - Device code auth events from unfamiliar IPs or geolocations - Tokens issued but no corresponding device registered - Multiple device code requests in a short window from the same user

Source

https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/