Device Code Phishing Surges 1,380% — MFA Won't Save You
Device code phishing attacks jumped 1,380% in early 2026. EvilTokens and 17 other PhaaS kits now offer turnkey identity theft that bypasses MFA and passkeys.
A phishing technique that started 2026 as a niche tactic used by Russian intelligence has gone fully mainstream. Device code phishing attacks increased 1,380% in the first four months of 2026, according to Huntress researchers, and 18 phishing-as-a-service platforms now offer it as a standard feature.
The numbers are stark: 37x spike in detections since late 2025, with enterprise Microsoft 365 accounts as the primary target. And the most unsettling part? MFA, passkeys, and strong passwords don't help.
How Device Code Phishing Works
Unlike traditional phishing that steals passwords, device code phishing exploits a legitimate Microsoft authentication flow designed for devices that can't easily accept password input—think smart TVs or IoT devices.
The attack flow:
- Attacker generates a device code through Microsoft's OAuth endpoint
- Victim receives a phishing message directing them to microsoft.com/devicelogin
- Victim enters the attacker-supplied code on the real Microsoft login page
- Victim completes normal authentication including MFA
- Microsoft issues an access token—but delivers it to the attacker, not the victim
The victim authenticates to Microsoft directly. There's no fake login page to spot, no credential harvesting site that security tools might block. The authentication is completely legitimate. Only the authorization ends up in the wrong hands.
Why Traditional Defenses Fail
This is what makes device code phishing so dangerous: it bypasses the entire authentication layer by targeting authorization instead.
- Strong passwords don't help—the victim types them into the real Microsoft portal
- MFA doesn't help—the victim completes it legitimately
- Passkeys don't help—same problem, different authentication factor
- Phishing-resistant authentication doesn't help—there's no phishing page to resist
Once attackers have the access token, they can access email, documents, Teams conversations, and SharePoint—anything the token authorizes. Token validity can extend for hours or days depending on tenant configuration.
The EvilTokens Ecosystem
The commercialization of device code phishing accelerated in February 2026 when a platform called EvilTokens launched on Telegram. It packages everything an attacker needs:
- Automated device code generation
- Customizable phishing templates
- Token capture and validation
- Persistence mechanisms for extended access
- Integration with credential stuffing tools
EvilTokens operates on a subscription model, making sophisticated identity theft accessible to anyone willing to pay. At least 17 other platforms now offer similar capabilities, creating a competitive marketplace for token-based account takeover.
Who's Being Targeted
The attack is particularly effective against enterprise Microsoft 365 users because:
- Device code flow is enabled by default in most tenants
- Users are accustomed to Microsoft prompts asking for codes
- IT support processes often involve similar code-entry workflows
- Conditional access policies don't typically scrutinize device code grants
Financial services, healthcare, and government organizations have seen concentrated targeting. The 81 million login attempts against Microsoft 365 accounts we reported last week included significant device code phishing activity alongside traditional credential attacks.
Detecting and Preventing Attacks
Organizations can reduce risk through several controls:
Disable device code flow if you don't need it: In Azure AD, navigate to Authentication methods and disable device code flow for users who don't require it. Most enterprises have no legitimate need for this authentication method.
Monitor for suspicious device code grants: Look for Azure AD sign-in logs showing "Device code" as the authentication method, particularly:
- Grants to unfamiliar applications
- Grants from unusual geographic locations
- Multiple device code grants to the same user in short timeframes
Implement Conditional Access policies: Require device compliance or trusted network location for device code authentications. This adds friction that may break legitimate IoT use cases but significantly raises the bar for attackers.
User education with specifics: Train users that Microsoft will never email or message them asking to enter a code at microsoft.com/devicelogin. If they receive such a request, it's an attack.
For organizations concerned about social engineering attacks, device code phishing represents a significant evolution that traditional awareness training may not address.
The Broader Trend
Device code phishing is part of a larger shift toward post-authentication attacks. As organizations successfully deployed MFA, attackers adapted—targeting session tokens, OAuth grants, and authorization flows that occur after authentication succeeds.
We've seen similar patterns with AiTM phishing proxies and session hijacking tools. The common thread: authentication is no longer the weakest link. Authorization and session management are the new battlegrounds.
What Comes Next
The trajectory is clear. Device code phishing went from intelligence-agency tradecraft to commodity attack in six months. The 1,380% growth curve shows no signs of flattening.
Microsoft has introduced some protections, including risk-based policies that can challenge suspicious device code grants. But these require Azure AD Premium licenses and deliberate configuration—resources that many organizations lack.
For security teams, the action item is urgent: audit whether device code flow is enabled in your tenant, implement monitoring for suspicious grants, and update phishing awareness training to cover this specific threat. The window before this becomes truly ubiquitous is closing fast.
Related Articles
Device Code Phishing Hits 340+ Microsoft 365 Orgs in 5 Countries
EvilTokens phishing platform targets Microsoft 365 identities across US, Canada, Australia, New Zealand, and Germany. OAuth abuse bypasses MFA to steal access tokens.
Mar 26, 2026Device Code Phishing Surges 40% — Hundreds Compromised Daily
AI-enabled device code phishing campaigns hit hundreds of Microsoft 365 accounts daily since mid-March. Criminal toolkits proliferate as attacks bypass MFA at scale.
May 17, 2026Bluekit PhaaS Uses Browser-in-the-Middle to Bypass MFA
Netcraft identifies 70 new Bluekit hostnames as the phishing-as-a-service platform adopts real-time session hijacking that defeats all forms of traditional MFA.
Jun 27, 202681M Login Attempts: Massive Azure CLI Password Spray Campaign
Attackers exploited deprecated OAuth ROPC flow to bypass MFA, compromising 78 accounts across 64 organizations. Attack originated from Hong Kong and China infrastructure.
Jul 2, 2026