PROBABLYPWNED
Threat IntelligenceJuly 8, 20265 min read

Device Code Phishing Surges 1,380% — MFA Won't Save You

Device code phishing attacks jumped 1,380% in early 2026. EvilTokens and 17 other PhaaS kits now offer turnkey identity theft that bypasses MFA and passkeys.

Alex Kowalski

A phishing technique that started 2026 as a niche tactic used by Russian intelligence has gone fully mainstream. Device code phishing attacks increased 1,380% in the first four months of 2026, according to Huntress researchers, and 18 phishing-as-a-service platforms now offer it as a standard feature.

The numbers are stark: 37x spike in detections since late 2025, with enterprise Microsoft 365 accounts as the primary target. And the most unsettling part? MFA, passkeys, and strong passwords don't help.

How Device Code Phishing Works

Unlike traditional phishing that steals passwords, device code phishing exploits a legitimate Microsoft authentication flow designed for devices that can't easily accept password input—think smart TVs or IoT devices.

The attack flow:

  1. Attacker generates a device code through Microsoft's OAuth endpoint
  2. Victim receives a phishing message directing them to microsoft.com/devicelogin
  3. Victim enters the attacker-supplied code on the real Microsoft login page
  4. Victim completes normal authentication including MFA
  5. Microsoft issues an access token—but delivers it to the attacker, not the victim

The victim authenticates to Microsoft directly. There's no fake login page to spot, no credential harvesting site that security tools might block. The authentication is completely legitimate. Only the authorization ends up in the wrong hands.

Why Traditional Defenses Fail

This is what makes device code phishing so dangerous: it bypasses the entire authentication layer by targeting authorization instead.

  • Strong passwords don't help—the victim types them into the real Microsoft portal
  • MFA doesn't help—the victim completes it legitimately
  • Passkeys don't help—same problem, different authentication factor
  • Phishing-resistant authentication doesn't help—there's no phishing page to resist

Once attackers have the access token, they can access email, documents, Teams conversations, and SharePoint—anything the token authorizes. Token validity can extend for hours or days depending on tenant configuration.

The EvilTokens Ecosystem

The commercialization of device code phishing accelerated in February 2026 when a platform called EvilTokens launched on Telegram. It packages everything an attacker needs:

  • Automated device code generation
  • Customizable phishing templates
  • Token capture and validation
  • Persistence mechanisms for extended access
  • Integration with credential stuffing tools

EvilTokens operates on a subscription model, making sophisticated identity theft accessible to anyone willing to pay. At least 17 other platforms now offer similar capabilities, creating a competitive marketplace for token-based account takeover.

Who's Being Targeted

The attack is particularly effective against enterprise Microsoft 365 users because:

  • Device code flow is enabled by default in most tenants
  • Users are accustomed to Microsoft prompts asking for codes
  • IT support processes often involve similar code-entry workflows
  • Conditional access policies don't typically scrutinize device code grants

Financial services, healthcare, and government organizations have seen concentrated targeting. The 81 million login attempts against Microsoft 365 accounts we reported last week included significant device code phishing activity alongside traditional credential attacks.

Detecting and Preventing Attacks

Organizations can reduce risk through several controls:

Disable device code flow if you don't need it: In Azure AD, navigate to Authentication methods and disable device code flow for users who don't require it. Most enterprises have no legitimate need for this authentication method.

Monitor for suspicious device code grants: Look for Azure AD sign-in logs showing "Device code" as the authentication method, particularly:

  • Grants to unfamiliar applications
  • Grants from unusual geographic locations
  • Multiple device code grants to the same user in short timeframes

Implement Conditional Access policies: Require device compliance or trusted network location for device code authentications. This adds friction that may break legitimate IoT use cases but significantly raises the bar for attackers.

User education with specifics: Train users that Microsoft will never email or message them asking to enter a code at microsoft.com/devicelogin. If they receive such a request, it's an attack.

For organizations concerned about social engineering attacks, device code phishing represents a significant evolution that traditional awareness training may not address.

The Broader Trend

Device code phishing is part of a larger shift toward post-authentication attacks. As organizations successfully deployed MFA, attackers adapted—targeting session tokens, OAuth grants, and authorization flows that occur after authentication succeeds.

We've seen similar patterns with AiTM phishing proxies and session hijacking tools. The common thread: authentication is no longer the weakest link. Authorization and session management are the new battlegrounds.

What Comes Next

The trajectory is clear. Device code phishing went from intelligence-agency tradecraft to commodity attack in six months. The 1,380% growth curve shows no signs of flattening.

Microsoft has introduced some protections, including risk-based policies that can challenge suspicious device code grants. But these require Azure AD Premium licenses and deliberate configuration—resources that many organizations lack.

For security teams, the action item is urgent: audit whether device code flow is enabled in your tenant, implement monitoring for suspicious grants, and update phishing awareness training to cover this specific threat. The window before this becomes truly ubiquitous is closing fast.

Related Articles