Device code phishing attacks surge 37x as new kits spread online

bleepingcomputer.com · Brajeshwar · 5 days ago · view on HN · research
quality 9/10 · excellent
0 net
Tags
aws cloudflare malware microsoft oauth phishing
Device code phishing attacks surge 37x as new kits spread online Home News Security Device code phishing attacks surge 37x as new kits spread online Device code phishing attacks surge 37x as new kits spread online By Bill Toulas April 4, 2026 10:17 AM 0 Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts. Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker's device to access the account through valid access and refresh tokens. This flow was designed to simplify connecting devices that do not have accessible input options (e.g., IoT devices, printers, streaming devices, and smart TVs). Device code phishing flow Source: Push Security The device code phishing technique was first documented in 2020, but malicious exploitation was recorded a few years later, and has been used by both state-hackers and financially-motivated ones [ 1 , 2 , 3 , 4 ]. Researchers at Push Security observed a massive increase in the use of these attacks, warning that they have been widely adopted by cybercriminals. “At the start of March (2026), we’d observed a 15x increase in device code phishing pages detected by our research team this year, with multiple kits and campaigns being tracked — with the kit now identified as EvilTokens the most prominent. That figure has now risen to 37.5x.” - Push Security Earlier this week, threat detection and response company Sekoia published research on the EvilTokens phishing-as-a-service (PhaaS) operation. The researchers underline that it is a prominent example of a phishing kit that “democratizes” device code phishing, making it available to low-skilled cybercriminals. Push agrees that EvilTokens has been a major driver of the technique's mainstream adoption, but notes that there are several other platforms competing on the same market, which could become more prominent in the event of law enforcement disrupting EvilTokens: VENOM - A closed-source PhaaS kit offering both device code phishing and AiTM capabilities. Its device code component appears to be an EvilTokens clone. SHAREFILE - A kit themed around Citrix ShareFile document transfers, using node-based backend endpoints to simulate file sharing and trigger device code flows. CLURE - A kit using rotating API endpoints and an anti-bot gate, with SharePoint-themed lures and backend infrastructure on DigitalOcean. LINKID - A kit leveraging Cloudflare challenge pages and self-hosted APIs, using Microsoft Teams and Adobe-themed lures. AUTHOV - A workers.dev-hosted kit using popup-based device code entry and Adobe document-sharing lures. DOCUPOLL - A kit hosted on GitHub Pages and workers.dev that mimics DocuSign workflows, including injected replicas of real pages. FLOW_TOKEN - A workers.dev-hosted kit using Tencent Cloud backend infrastructure, with HR and DocuSign-themed lures and popup-based flows. PAPRIKA - An AWS S3–hosted kit using Microsoft login clone pages with Office 365 branding and a fake Okta footer. DCSTATUS - A minimal kit with generic Microsoft 365 “Secure Access” lures and limited visible infrastructure markers. DOLCE - A Microsoft PowerApps-hosted kit with Dolce & Gabbana–themed lures, likely a one-off or red-team-style implementation rather than widely used. It should be noted that other than Venom and EvilTokens, the names of the other phishing kits were given by Push researchers to track the malicious activity. Push Security also published a video showing how the DOCUPOLL kit works. The threat actor uses DocuSign branding and a lure for an alleged contract, asking the victim to sign into the Microsoft Office application. In total, there are at least 11 phishing kits offering cybercriminals this type of attack, all using realistic SaaS-themed lures, anti-bot protections, and abusing cloud platforms for hosting. To block device-code phishing attacks, Push Security suggests that users disable the flow when not needed by setting conditional access policies on their accounts. It is also recommended to monitor logs for unexpected device code authentication events, unusual IP addresses, and sessions. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: New EvilTokens service fuels Microsoft device code phishing attacks Hackers target Microsoft Entra accounts in device code vishing attacks Tycoon2FA phishing platform returns after recent police disruption Europol-coordinated action disrupts Tycoon2FA phishing platform Microsoft: Hackers abuse OAuth error flows to spread malware Access Token EvilTokens OAuth OAuth Tokens Phishing Phishing Kit Phishing-as-a-Service Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories LinkedIn secretly scans for 6,000+ Chrome extensions, collects data Microsoft now force upgrades unmanaged Windows 11 24H2 PCs CERT-EU: European Commission hack exposes data of 30 EU entities Sponsor Posts New fraud playbooks are circulating on the dark web — are you keeping up? Turn stolen data into useless noise in ransomware attack A unified control plane for all identities, human, non-human, and agentic. Attackers aren’t breaking in. They’re logging in. See how these intrusions unfold 5 Things to Measure in an AI-Driven SOC (That Didn't Exist Before) Upcoming Webinar Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories