TL;DR

  • Device code phishing attacks increased 37 times in early 2026 compared to late 2025
  • Attackers are abusing OAuth 2.0 Device Authorization Grant to bypass multi-factor authentication
  • New phishing kits make these attacks cheap and easy to deploy at scale
  • Businesses using Microsoft, Google, or other OAuth-based authentication are at risk
  • Traditional MFA defenses are insufficient—behavioral detection and user education are critical

The Attack That Grew 37x in Months

Security researchers have documented an explosive growth in device code phishing attacks, with a 3,700% increase from late 2025 to early 2026 [1]. This attack technique, which abuses the OAuth 2.0 Device Authorization Grant flow, has surged from a niche method to a mainstream threat due to the proliferation of automated phishing kits.​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌‌‍​‌‌‌‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​

‌​​‍​‌‌​​‌​‌

What makes this surge particularly alarming: device code phishing bypasses traditional MFA protections by design, giving attackers authenticated access to user accounts without triggering typical fraud alerts.

How Device Code Phishing Works

The OAuth 2.0 Device Authorization Grant flow was designed for devices without keyboards or browsers—smart TVs, IoT devices, command-line tools. The user visits a website on their phone or computer, enters a code displayed on the device, and authenticates normally.​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌‌‍​‌‌‌‌​​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Attackers have weaponized this legitimate feature:

  1. Attacker registers a malicious application with an OAuth provider (Microsoft, Google, etc.)
  2. Attacker initiates a device code flow and obtains a device code and user code
  3. Attacker sends a phishing email with the user code, framed as a verification request
  4. Victim visits the legitimate OAuth verification page and enters the code
  5. Victim completes authentication (including MFA) on the legitimate page
  6. Attacker's malicious application receives a valid access token

From the victim's perspective, they visited a legitimate website (microsoft.com/device, google.com/device) and completed normal authentication. They voluntarily authorized the attacker's application—without realizing it wasn't legitimate.

Why This Attack Bypasses Traditional Defenses

Device code phishing is insidious because it subverts the security model of OAuth:

  • User visits legitimate URLs: The verification page is hosted by the real OAuth provider, not a phishing site. URL filters and reputation systems won't block it.
  • MFA is completed normally: The victim approves the MFA prompt themselves, so fraud detection systems see a legitimate authentication event.
  • No credential theft: The attacker never sees the victim's password or MFA code—they receive a token issued by the OAuth provider.
  • No obvious indicators: The victim authorized an application, which is a normal action in modern authentication flows.

This is consent phishing, not credential phishing. The victim consents to grant permissions to an attacker-controlled application.

The Phishing Kit Revolution

The 37x surge is driven by the commoditization of device code phishing kits. Security researchers have identified multiple crimeware services offering:

  • Automated device code generation: Kits continuously request device codes from OAuth providers, creating a pool of fresh codes.
  • Template phishing emails: Professional templates mimicking Microsoft, Google, and other major services.
  • Campaign management: Bulk emailing, tracking, and automated token harvesting.
  • Low cost: Some services charge as little as $50 per week for access to the platform [2].

These kits lower the technical barrier significantly. Attackers no longer need to understand OAuth internals—they simply purchase access to a platform that handles the entire attack lifecycle.

Real-World Impact: Business Account Takeovers

Device code phishing is particularly dangerous for businesses because:

  • High-value targets: Business accounts often have access to sensitive data, financial systems, and corporate resources.
  • Persistent access: OAuth access tokens can remain valid for extended periods (often 60-90 days), giving attackers long-term access.
  • Permission scope: Attackers can request broad permissions (read email, access files, send messages as the user) during the consent flow.
  • Supply chain risk: Compromised business accounts are used to launch attacks against partners and customers.

According to Cofense Phishing Defense Center, attackers are increasingly targeting business users with device code phishing emails framed as:

  • MFA verification requests
  • Security audit requirements
  • Device registration for remote work
  • Software license verification

Which Platforms Are Affected?

Any OAuth 2.0 provider that supports Device Authorization Grant is potentially vulnerable:

  • Microsoft Azure AD/Entra ID: Heavily targeted due to enterprise Office 365 adoption
  • Google Workspace: Gmail, Google Drive, and Google Cloud Platform
  • GitHub: Developer accounts and repository access
  • Zoom: Business meeting accounts
  • Other SaaS platforms: Any service supporting OAuth device flow

Microsoft has published guidance on detecting and preventing device code attacks, noting that attackers have automated tools requesting device codes at scale [3].

Detection and Mitigation Strategies

For Security Teams

  1. Monitor OAuth consent events: SIEM rules should flag unusual application consent activities, especially for newly registered or unknown applications.
  2. Audit granted permissions: Regularly review which applications have access to user data via OAuth.
  3. Implement Conditional Access policies: Require compliant devices or trusted locations for sensitive applications.
  4. Block known phishing kit infrastructure: Threat intelligence feeds now track device code phishing infrastructure.
  5. User behavior analytics: Flag unusual access patterns, such as access from new locations immediately after device code authentication.

For Users and Administrators

  1. Verify app permissions: Before authorizing any OAuth application, review the requested permissions. If an app asks for email, file access, or send-as permissions you don't recognize, decline.
  2. Audit connected apps: Regularly review and revoke permissions for apps you no longer use (Microsoft: https://myapps.microsoft.com; Google: https://myaccount.google.com/permissions).
  3. Verify unexpected code prompts: If you receive an unexpected request to enter a device code, contact your IT department—don't enter it.
  4. Report phishing: Forward suspicious emails to your security team for analysis.

Technical Controls

Some organizations have implemented:

  • Tenant-wide block on device code flow for non-corporate devices
  • Application approval policies requiring admin approval before users can consent to new apps
  • Continuous Access Evaluation to revoke suspicious tokens in real-time
  • Phishing-resistant MFA (FIDO2/security keys) which provides additional verification for sensitive operations

Why Traditional Security Awareness Training Fails Here

Device code phishing exploits a design feature, not a vulnerability. Users are trained to recognize fake URLs, but these attacks use real URLs. Users are trained to protect passwords, but these attacks don't steal passwords.

Effective training must focus on:

  • OAuth consent flow understanding
  • Permission review before authorization
  • Recognizing unexpected authentication prompts
  • Reporting suspicious authorization requests

The phrasing of device code phishing emails is particularly manipulative, often creating urgency ("Your access will expire in 30 minutes") or invoking authority ("Security audit required by IT policy").

Related: MFA Bypass Attacks: Why Your Second Factor Isn't Enough

The Regulatory and Compliance Angle

Device code phishing has compliance implications:

  • Data breach notification: If an attacker accesses PII via a compromised OAuth token, this may trigger breach notification requirements.
  • Access control failures: Regulators may view successful device code phishing as a failure of access controls under frameworks like SOC 2, ISO 27001, or HIPAA.
  • Audit trails: OAuth consent events must be logged and reviewed as part of compliance monitoring.

Organizations subject to GDPR, CCPA, or Australian Privacy Act should assess whether device code phishing could lead to unauthorized data access and document their mitigation controls.

The Future: AI-Generated Phishing Meets Device Code Attacks

The convergence of two trends creates a perfect storm:

  • AI-generated phishing emails becoming 450% more effective [4]
  • Automated device code kits lowering technical barriers

We can expect to see AI-powered device code phishing campaigns that:

  • Personalize emails based on OSINT (job title, recent documents, org charts)
  • Generate realistic context ("Your manager Sarah invited you to a shared workspace")
  • Scale across thousands of targets with unique, convincing messages

The 37x surge may be just the beginning. As AI lowers the cost of crafting convincing phishing and automation kits lower the cost of device code exploitation, this attack vector will likely become a standard tool in attacker arsenals.

Immediate Action Items

  1. Audit your OAuth exposure: List all applications registered in your Microsoft, Google, and other OAuth tenants.
  2. Review consent grants: Check which applications have permissions to user data.
  3. Implement Conditional Access: Require compliant devices or trusted locations for sensitive applications.
  4. Update security awareness training: Add specific modules on device code phishing and OAuth consent.
  5. Enable monitoring: Configure alerts for unusual consent activities.
  6. Test your defenses: Run internal phishing simulations using device code scenarios.

FAQ

No, it's a legitimate OAuth 2.0 feature for devices without browsers. The vulnerability is in how attackers abuse user trust to obtain consent for malicious applications.

It may break legitimate IoT devices, command-line tools, or smart TVs that rely on device code authentication. Evaluate your environment before blocking it entirely.

No. In fact, the victim completes MFA during the device code flow, authorizing the attacker's application. This is why the attack is so effective—it doesn't bypass MFA, it co-opts it.

Check your OAuth consent logs for unfamiliar applications. In Microsoft Entra ID, review sign-in logs and app registrations for unusual consent events.

Yes. If you suspect a device code phishing attack, immediately revoke the malicious application's permissions and reset the affected user's password (which invalidates existing tokens). In Microsoft Entra ID, use the "Revoke sessions" feature.

References

[1] BleepingComputer, "Device code phishing attacks surge 37x as new kits spread online," April 4, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/

[2] Microsoft Security Blog, "Rising threat: Device code phishing and how to protect your organization," March 2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2026/03/device-code-phishing-protection/

[3] Cofense Phishing Defense Center, "OAuth Device Code Phishing: Analysis and Mitigation," Q1 2026 Threat Report. [Online]. Available: https://www.cofense.com/blog/oauth-device-code-phishing-2026/

[4] lilMONSTER, "AI-Generated Phishing Is Now 450% More Effective: What Your Business Needs to Know," April 4, 2026. [Online]. Available: https://blog.lil.business/ai-tycoon2fa-phishing-450pc-increase-smb-guide

[5] OAuth 2.0 Device Authorization Grant, RFC 8628, IETF, 2019. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8628

[6] Microsoft Learn, "Microsoft identity platform and the OAuth 2.0 device authorization grant flow," 2026. [Online]. Available: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code-flow

[7] Google Identity, "OAuth 2.0 for TV and Limited-Input Device Applications," 2026. [Online]. Available: https://developers.google.com/identity/protocols/oauth2/limited-input-device

[8] Entra ID (Azure AD) Auditing, "Sign-in and activity report concepts," Microsoft Learn, 2026. [Online]. Available: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins

OAuth phishing attacks are bypassing traditional MFA and costing businesses millions. lilMONSTER helps you implement defense-in-depth that catches what MFA misses. Get a phishing-resistant security assessment.

TL;DR

Bad actors tricked people at over 340 companies into handing over access to their Microsoft 365 accounts — and even changing your password doesn't kick them out [1][2]. Here's how it works and how to stop it, explained simply.

How Did Hackers Get Into 340 Companies' Microsoft Accounts?

Imagine your Microsoft 365 account is a house. Your password is the key, and your MFA code (that text or app notification) is a second lock on the door. Normally, a thief would need to steal both to get in.

But Microsoft has a special side entrance called "device code login" [7]. It was built for devices like smart TVs that don't have keyboards. Here's how it works: the TV shows you a short code, you go to Microsoft's website on your phone, type the code in, and log in normally. The TV is now connected to your account.

Here's the trick the attackers pulled [1][2]: they asked Microsoft for one of those codes themselves. Then they sent phishing emails — fake construction bids, fake DocuSign requests, fake voicemail alerts — with a link to Microsoft's real login page. When someone clicked the link and typed in the code, they were actually logging the attacker into their account. The person completed their real password and real MFA like normal. Everything looked legitimate because it was the real Microsoft website.

Why Doesn't Changing Your Password Fix This?

Here's the part that surprises people. When you log in through device code flow, Microsoft hands out a special pass called a "token" [1][7]. That token works independently from your password. Even if you change your password afterward, the attacker's token still works — like giving someone a guest key to your house that doesn't change when you rekey the front door. To actually kick them out, you have to specifically revoke (cancel) those tokens through your Microsoft admin settings.

Who Was Targeted and Who Is Behind It?

Huntress, a security research company, spotted this campaign starting February 19, 2026 [1]. It hit more than 340 organizations across the US, Canada, Australia, New Zealand, and Germany. Construction companies, non-profits, healthcare, legal firms, and government agencies were all targeted. The attackers used Cloudflare Workers and Railway (a cloud platform) to run their operation, with 84% of activity coming from just three IP addresses [1][2]. Similar attacks have previously been linked to Russia-aligned hacking groups [3][4][10].

How Can Your Business Stay Safe?

The fix is straightforward. If your company doesn't use smart TVs or similar devices with Microsoft 365, your IT team can simply turn off device code login in your settings [7]. You can also set up rules (called Conditional Access policies) so that tokens only work from approved devices [3][6]. And make sure everyone on your team knows: never type a code into microsoft.com/devicelogin unless you started that process yourself on your own device.

This is a solvable problem. The tools to block it are already included in Microsoft 365 — they just need to be switched on.

→ Want help checking if your Microsoft 365 is set up safely? Let's chat.

FAQ

It's when an attacker generates a login code meant for devices like smart TVs and tricks you into entering it on Microsoft's real website. When you log in, the attacker gets access to your account instead of a TV [1][7].

Yes. You complete MFA yourself on Microsoft's real site, so the attacker's access token already has MFA approval baked in [3][4]. The extra lock on the door doesn't help because you opened it.

Not from this specific attack. The tokens the attacker received keep working after a password change [1]. You need to revoke active sessions and tokens in Microsoft Entra ID to remove their access.

Disable device code flow in Conditional Access if you don't need it, set up device-compliance policies, and train your team to never enter codes at microsoft.com/devicelogin unless they personally started the process [6][7].

References

[1] Huntress, "Device Code Phishing Campaign Targeting Microsoft 365," Huntress Blog, Mar. 2026. [Online]. Available: https://www.huntress.com/blog/device-code-phishing-microsoft-365

[2] R. Lakshmanan, "Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse," The Hacker News, Mar. 25, 2026. [Online]. Available: https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html

[3] Microsoft Threat Intelligence, "Storm-2372 Conducts Device Code Phishing Campaign," Microsoft Security Blog, Feb. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

[4] Volexity, "Device Code Phishing: Active Campaigns Targeting Organizations," Volexity Blog, Feb. 2025. [Online]. Available: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

[5] Proofpoint, "Device Code Phishing Threats Persist in 2026," Proofpoint Threat Insight, 2026. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-threats

[6] CISA, "Phishing Guidance: Stopping the Attack Cycle at Phase One," Cybersecurity and Infrastructure Security Agency, Oct. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-10/Phishing-Guidance-Stopping-Attack-Cycle-at-Phase-One_508c.pdf

[7] Microsoft, "Microsoft Entra ID Device Code Flow," Microsoft Learn, 2024. [Online]. Available: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code

[8] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[9] FBI Internet Crime Complaint Center, "IC3 Annual Report 2025," FBI, 2025. [Online]. Available: https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

[10] Amazon Web Services Threat Intelligence, "Device Code Abuse by Russian Threat Groups," AWS Security Blog, 2025. [Online]. Available: https://aws.amazon.com/blogs/security/device-code-abuse-russian-threat-groups

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation