A few years ago the technique known as "device code phishing" was something that was studied in conferences and described in technical papers; today it is already a common tool in the arsenal of digital crime. In essence, attackers take advantage of a legitimate feature of the OAuth 2.0 ecosystem - the so-called Device Authorization Grant - designed to facilitate the login of devices without keyboard or with limited input, such as smart TVs, printers or consoles. Instead of trying to steal passwords, the attacker initiates an application for authorization from his own team, gets a short code and sends it to the victim under a convincing pretext: a contract to sign, a document that "needs review," or an alleged urgent notification of a known service.
When the person enters that code on the legitimate access page, what he is actually doing is granting access to the session initiated by the attacker. The flow, which generates valid access tokens and refresh, allows the person who initiated the request to access the account without having known the password or breaking the multifactor authentication. It is a scam that uses the protocol's own rules against it, taking advantage of confidence in authentication flows and the urgency created in deception. If you want to review the original technical specification that describes this mechanism, the RFC 8628 explains the Device Authorization Grant: https: / / datatacker.ietf.org / doc / html / rfc8628.
Security researchers have been warning about this method since 2020, but it has been in recent months that its adoption has been triggered. Specialized firms have documented a monumental increase in the detection of pages and kits that automate fraud: a research house noted that, in a matter of weeks, the volume of pages detected has increased from tens to more than thirty times in the year. You can read technical analysis and campaign examples in the work of teams such as Push Security and in specialized reports: Push Security and the report published by Sekoia on operation EvilTokens (SEKOIA Research).
The jump in popularity is not casual. Services and phishing kits have emerged that pack the technique in the form of "phishing- as- a- service," which lowers the entry barrier for criminals with little technical knowledge. These kits play convincingly the interfaces of SaaS suppliers - mail services, electronic signature platforms, corporate portals - and combine them with anti-bots and hosting in cloud infrastructure to avoid being easily demolished or detected. Some kits focus on thematic lures (signature documents, file transfers, Office / Adobe / SharePoint notifications), which increases the likelihood that the victim will trust the request and copy the code received.
What makes this technique especially dangerous is that it does not require to steal passwords or inject malware to achieve access. The tokens issued are legitimate and, unless there are additional controls, allow to hold sessions, move information and establish persistence with refresh tokens. In addition, the activity may seem normal on many platforms if detection teams are not specifically monitoring events related to device code authentication or unusual patterns of the creation of authorized devices.
In the face of this scenario, the defence requires changes at both technical and behavioural levels. In corporate environments it is appropriate to review whether the use of the Device Authorization Grant is really necessary for certain profiles and disable it when it is not through conditional access policies; Microsoft, for example, documents how this flow and control options work on its identity platform: Device code flow (Microsoft identity platform) and its conditional policy guides: Azure AD Conditional Access. It is also good practice to implement and review authentication records in search of unexpected device code events, login from PIs or disparate locations, and sessions that do not match normal user patterns.
For end-users, the recommendation is simple and strong: do not introduce codes that you did not request or that have reached you without a clear context. If you receive an apparently urgent message that asks you to write a number on a website, check the source by another way - by contacting the sender directly on a known channel, or by consulting the official service - before acting. Complementing critical accounts with more rigid safety methods, such as physical safety keys or authenticators that do not depend on automated flows, adds an extra layer of protection against this type of scams.
The pressure on those who provide cloud services and identity tools is also high. Platform equipment can mitigate part of the risk by implementing more restrictive default controls, improving telemetry to detect legitimate uses against code flow abuses, and making it difficult for cloned pages to interact transparently with authorisation endpoints. Meanwhile, the operators of these kits continue to take advantage of the ease with which convincing pages can be deployed and the comfort of the cloud platforms to host malicious infrastructure.
If you want to look into examples and recent cases of campaigns using these kits - including the service known as EvilTokens and other families that have appeared in recent months - there are several available analyses in the technical press and in the reports of companies investigating threats. A good starting point is the BleepingComputer article that summarizes the proliferation of these services and links to technical research: BleepingComputer on EvilTokens as well as the analysis of SEKOIA Research cited above.
In short, we are facing a development of digital fraud that takes advantage of legitimate mechanisms. This is not a magic failure that can be fixed with a single measure but a combination of social engineering, abuse of protocols and professionalization of crime that requires a coordinated response: implementing technical policies on platforms, improving monitoring and, above all, keeping people informed so that they do not deliver access by impulse.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...