193/69 Tuesday, April 7, 2026
Cybersecurity researchers from Push Security have warned of a dramatic rise in “Device Code Phishing” attacks, which exploit weaknesses in the OAuth 2.0 Device Authorization Grant flow. Early 2026 data shows that phishing pages using this technique have increased by approximately 37.5 times. Originally designed to simplify login for devices without keyboards or limited input capabilities-such as smart TVs, printers, or IoT devices—this mechanism is now being widely abused by attackers for large-scale account hijacking, driven by both financial and politically motivated groups.
The attack method is highly deceptive. Threat actors first request a legitimate device code from service providers (such as Microsoft or Google) and then trick victims into entering that code on a real login page via phishing messages. Once the victim completes authentication, the system issues access and refresh tokens-directly to the attacker-allowing full account access without needing a password or bypassing multi-factor authentication (MFA). Researchers have identified at least 11 phishing toolkits (Phishing-as-a-Service), including “EvilTokens,” as well as tools like Venom, ShareFile, and DocuPoll, which enable even low-skilled attackers to launch convincing campaigns that mimic legitimate business platforms.
To mitigate this threat, organizations and users are advised to disable the Device Code Flow if it is not required, particularly by enforcing Conditional Access policies. IT teams should also continuously monitor authentication logs to detect suspicious device code sign-ins or sessions originating from untrusted IP addresses. Proactive monitoring and access controls are essential to identifying and stopping attacks before sensitive data is compromised.