Cybercriminals are adopting device code phishing as a new way to bypass traditional phishing defenses and compromise enterprise Microsoft 365 accounts.
According to Proofpoint, threat actors are abusing legitimate Microsoft authentication workflows to steal authentication tokens without using traditional phishing pages.
“The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings,” said the researchers.
Key Takeaways of the Device Code Phishing Findings
- Device code phishing is rapidly growing as attackers abuse legitimate Microsoft authentication workflows.
- Phishing-as-a-service (PhaaS) platforms like EvilTokens and Tycoon 2FA are helping scale these attacks.
- Attackers use QR codes, PDFs, and OAuth device login flows to steal Microsoft 365 authentication tokens.
- AI-assisted phishing kits are lowering the technical barrier for cybercriminals launching device code attacks.
Inside the Rise of Device Code Phishing
The rise of device code phishing marks an evolution in identity-based attacks targeting enterprises, especially organizations heavily reliant on Microsoft 365 environments.
Unlike traditional adversary-in-the-middle (AiTM) phishing that uses fake login pages to steal credentials, device code phishing abuses legitimate OAuth 2.0 authentication workflows to trick users into granting attacker-controlled access.
Because victims interact with Microsoft’s real authentication portal instead of a fake login page, these attacks can appear more trustworthy and may bypass traditional phishing awareness training focused on suspicious URLs.
Successful attacks can lead to full account takeover, data theft, and even help facilitate ransomware deployment.
Researchers warned that the technique is becoming increasingly popular because it exploits trusted authentication processes while requiring relatively little technical sophistication from attackers.
Device Code Phishing-as-a-Service
Proofpoint researchers identified a rapidly growing ecosystem of phishing-as-a-service (PhaaS) platforms supporting device code phishing operations, including EvilTokens, Tycoon 2FA, ODx, and Kali365.
These services allow cybercriminals to automate large portions of the attack chain, from generating phishing pages and device codes to capturing authentication tokens and managing compromised accounts at scale.
Many of the kits also support branding templates impersonating Microsoft, SharePoint, Adobe, and DocuSign services to improve the legitimacy of phishing lures.
Researchers also observed signs that many of these phishing kits are being developed or modified using AI-assisted vibe coding techniques.
This lowers the technical barrier for cybercriminals, enabling inexperienced actors to rapidly launch new phishing variants or customize existing kits with minimal effort.
How Device Code Phishing Attacks Work
In most observed campaigns, attackers distribute phishing emails containing malicious links, PDF attachments, or QR codes that redirect victims to device code phishing landing pages.
Victims are instructed to visit Microsoft’s legitimate device login portal and enter a provided authentication code.
Once the code is submitted, attackers receive authentication tokens that can grant direct access to the victim’s Microsoft 365 account and connected cloud services without needing to steal usernames or passwords directly.
EvilTokens and TA4903 Campaign Activity
One of the most active platforms identified by researchers is EvilTokens, a device code PhaaS operation first advertised on Telegram in early 2026.
The platform includes a feature called Portal Browser, which enables attackers to manage and access multiple compromised Microsoft 365 accounts simultaneously, helping scale BEC and account takeover operations.
Proofpoint also observed multiple campaigns linked to threat actor TA4903, which historically focused on traditional BEC schemes but now appears to rely almost exclusively on device code phishing campaigns.
In one observed campaign, the actor impersonated a human resources department and delivered salary notification PDFs containing QR codes.
Victims who scanned the codes were redirected through Cloudflare Workers infrastructure to phishing pages impersonating Microsoft and DocuSign services.
Despite the increasing sophistication of the attack technique itself, researchers noted that many device code phishing campaigns still contain obvious operational security mistakes.
Some phishing emails contained completely blank message bodies while still delivering malicious attachments or QR codes.
These errors suggest that many threat actors are rapidly deploying AI-assisted phishing infrastructure without fully understanding the operational or social engineering aspects of the campaigns.
Reducing Device Code Phishing Risk
As device code phishing campaigns continue to grow, organizations need to strengthen identity security controls beyond traditional phishing defenses.
- Block or restrict device code authentication flows using Microsoft Conditional Access policies wherever possible.
- Require compliant, managed, or registered devices for access to corporate resources and Microsoft 365 services.
- Monitor Microsoft Entra ID sign-in logs and OAuth activity for suspicious device code authentication attempts and anomalous token usage.
- Restrict OAuth application consent permissions, apply least-privilege access controls, and use privileged access management tools to help limit account exposure.
- Shorten authentication token lifetimes and implement risk-based authentication policies to reduce attacker persistence.
- Expand security awareness training to educate users about device code phishing, QR-code-based lures, and unsolicited authentication requests.
- Test incident response plans and use attack simulation tools with scenarios around identity compromise.
These measures can help organizations build resilience and reduce overall exposure to device code phishing attacks.
Rise of Device Code Phishing
The growth of device code phishing reflects a broader shift in cybercrime, where attackers are increasingly abusing legitimate authentication workflows instead of relying on more traditional phishing attacks.
Proofpoint researchers compared the technique to ClickFix attacks, which also depend on convincing users to complete actions themselves as part of the attack chain.
As organizations improve phishing defenses, threat actors are increasingly using PhaaS platforms, AI-assisted tooling, and legitimate cloud authentication workflows to compromise accounts.
Organizations are strengthening defenses with layered security strategies and zero trust architecture to mitigate these threats.
