A sophisticated form of phishing that exploits a legitimate OAuth 2.0 protocol has seen an exponential surge in 2026, with attacks increasing by a factor of 37.5 compared to previous baselines. This technique, known as device code phishing, abuses the Device Authorization Grant flow—a mechanism designed to allow users to sign into services on hardware with limited input capabilities, such as smart TVs, gaming consoles, or IoT devices. In these attacks, threat actors initiate a device authorization request with a service provider (like Microsoft Entra ID) to generate a unique, short-lived code. They then socially engineer a victim, often via email or chat, to enter this code on the legitimate service's login portal. The victim, believing they are completing a routine verification step, inadvertently grants the attacker's device full access tokens to their account, leading to a seamless account takeover without the attacker ever handling the victim's password.
The alarming 37-fold increase has been tracked and reported by cybersecurity firm Push Security. The firm noted that at the beginning of March 2026, they had already observed a 15x year-over-year increase in detected phishing pages leveraging this method. This figure has now more than doubled, underscoring the rapid adoption of the technique by cybercriminals. The proliferation is largely driven by the availability of malicious phishing kits, such as the one identified as "EvilTokens," which are being sold and shared in underground forums. These kits lower the barrier to entry, enabling even low-skilled threat actors to launch sophisticated campaigns. Historically documented since 2020, device code phishing has been weaponized by both state-sponsored advanced persistent threat (APT) groups and financially motivated cybercriminals, targeting a wide range of services from corporate cloud platforms to personal email accounts.
The attack flow is particularly insidious because it bypasses many traditional security controls. Since the user interacts directly with the genuine service provider's website (e.g., login.microsoft.com) to enter the code, there are no malicious links to block and no fake login pages for email filters to detect. Multi-factor authentication (MFA) is also rendered ineffective in this scenario, as the user's action of entering the device code constitutes the authorization step itself. The attacker receives valid OAuth tokens, which can be used for persistent access and are often refreshed automatically, allowing long-term compromise. This makes the attack a potent tool for initial access brokers, who sell compromised credentials to other criminals for ransomware deployment, espionage, or financial fraud.
To defend against this rising threat, organizations must shift their security focus. User awareness training is critical, emphasizing that users should never enter unsolicited codes received via email or chat into any website. IT administrators should consider reviewing and potentially restricting the use of the Device Code Grant flow in their OAuth applications if it is not essential for business operations. Implementing conditional access policies that require compliant devices or specific locations for authentication can add a layer of defense. Furthermore, security teams should monitor authentication logs for anomalous device code requests, especially those originating from unfamiliar locations or for high-privilege accounts. As phishing kits like EvilTokens continue to spread, a combination of technical controls, vigilant monitoring, and user education forms the essential triad for mitigation.
