Device Code Phishing is an Evolution in Identity Takeover

May 14, 2026 Yanac

Key Findings

Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week.
The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings.
Most of the identified activity is using “vibe coded” techniques. It is unclear whether most are copying and modifying publicly known tools or using similar prompts to generate nearly identical attack flows wholesale.
Regardless of how the tool was created and which device code tool actors are using, defense remains the same.
The surge of device code phishing is the natural progression of credential phishing, as more people become aware of multifactor authentication bypass techniques, criminals must get creative.

Overview

Credential phishing remains an effective technique enabling everything from account takeover and fraud to ransomware and espionage. However, as organizations become better at defending against common phishing techniques such as multifactor authentication (MFA) phishing, cyber threat actors have expanded their capabilities to techniques like device code and OAuth phishing. When combined with LLM-generated tools and social engineering, criminals can use such techniques to target more people with new social engineering tricks at scale.

From 2020 to around 2022, red teams and occasionally criminals and espionage threat actors leveraged the device code phishing technique to trick someone into authorizing a malicious app on their enterprise email accounts. But the popularity grew in recent years. The publication of criminal device code phishing tools in fall 2025, paired with new innovations in attack chains amplified by “vibe coding” resources, turned the previously obscure technique into a phishing free-for-all.

Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 or other enterprise user accounts by approving access for actor-controlled applications. While the majority of device code phishing campaigns focus on Microsoft accounts, Proofpoint has also observed Google themed campaigns in significantly lower volumes.

Device code phishing campaigns frequently leverage “account takeover (ATO) jumping,” a technique where an attacker compromises an initial email account and then uses it to send phishing links to a wide set of contacts.

In observed activity, campaigns typically begin with an initial message delivering a URL in various ways, like embedded behind a button, as hyperlinked text, embedded in a document, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process.

The current device code landscape contains a major difference that’s increased the popularity from the original implementations: on-demand code generation.

Previously, threat actors would generate a code and send it directly to the recipients, saying they need to enter the code as soon as possible because it expires in 15 minutes. If a target didn’t see the email, or decided to wait to interact with malicious URLs, the code would expire and the actor was out of luck. Current iterations address the limitations of the 15-minute expiration window. In most current device code phishing attacks, the code is generated dynamically when a user clicks on the initial phishing link. This seemingly small change allows the user to view the email at any time to kickstart the attack chain. These new implementations of the device code attack chains can be purchased via phishing-as-a-service (PhaaS) offerings, like EvilTokens or Tycoon, or created and owned by the threat actor conducting the campaigns.

Successful device code phishing attacks can lead to full account takeover, theft of sensitive information, fraud and business email compromise, lateral movement within a compromised environment, and even disruptive attacks like ransomware.

Campaign Examples

In device code phishing campaigns, emails can include URLs, attachments with URLs, or QR codes that lead to the device code phishing landing pages. The presented code is a unique device code generated for the target and the button redirects the user to https[:]//microsoft[.]com/devicelogin, which is part of Microsoft’s device code authentication flow. If the target enters the provided code into the legitimate Microsoft device code authentication portal, it allows the threat actor to capture authentication tokens, which can then be used to access the target’s account, including data and other services that the compromised account has access to.

EvilTokens is one of the most prominent device code PhaaS options.

Proofpoint assesses EvilTokens is created and maintained using “vibe coding” AI generation techniques. It was first advertised on Telegram in February 2026. EvilTokens is designed to capture authentication tokens, which can then be used to access the target’s account, including data and other services that the compromised account has access to.

Figure: EvilTokens Telegram channel announcement.

The platform offers various landing pages and themes for customers including Microsoft, Adobe, DocuSign, etc. The platform can generate the attack chain from lure to infrastructure.

Figure: Example of EvilTokens landing page, observed by Proofpoint in March 2026.

EvilTokens affiliates can also pay for the “Portal Browser” which enables them to access and manage multiple compromised Microsoft 365 accounts. This tool helps automate and scale business email compromise (BEC) operations. Researchers at Sekoia previously detailed the EvilTokens PhaaS operations.

Notably, Proofpoint researchers observe numerous variations of device code phishing kits that look similar to EvilTokens, but use slightly different API endpoints and HTML headers, enabling researchers to differentiate the unique kits. Some are used regularly by multiple threat actors; some appear briefly in threat data and are used in just a handful of campaigns.

In one 10-day window in April 2026, Proofpoint researchers observed around seven unique device code phishing variants that looked nearly identical.

It is unclear whether EvilTokens copied an existing kit and monetized it, or if other threat actors are copying and/or updating EvilTokens via AI tools to create their own device code phishing without using the PhaaS platform. There’s a strong possibility that both are occurring simultaneously.

Figure: Example of multiple device code phishing landing pages.

For example, cybercriminal actor TA4903 began using device code phishing to steal credentials in March 2026. The actor continues to impersonate small businesses and government entities but is now using the device code phishing technique almost exclusively, which appears to have replaced their business email compromise activities. It is a notable shift in tactics.

In a campaign observed in April 2026, TA4903 masqueraded as a human resources contact, and sent “salary notifications” emails containing a PDF attachment.

Figure: TA4903 lure.

The PDF included a QR code that, when scanned, redirected via a Cloudflare Workers URL to a custom filtering page. When passed, the user was shown a landing page impersonating DocuSign and Microsoft hosted on Cloudflare Workers.

Figure: PDF attachment distributed by TA4903.

Figure: TA4903 landing page impersonating Microsoft and DocuSign, observed April 2026.

The landing page included a “signing code” and instructions to login to the users’ corporate email via the hyperlinked button and add the device code in the authentication flow.

The actor uses a custom device code phishing kit that looks and operates in a very similar manner to EvilTokens. The device code generation service is hosted on actor-controlled infrastructure, but the rest of the attack chain was deployed to cloud services. Once the user inputs the code at the authentic device authentication portal, the token generated by TA4903 was validated, giving the threat actor access to the targeted Microsoft 365 account.

Interestingly, in some device code campaigns, Proofpoint observed actors sending blank email bodies. For example, in an April 2026 campaign, TA4903 distributed payment confirmation emails with a blank email body and attached PDF with a QR code. In another unattributed campaign from late March 2026, the actor pretended to be the Federal Court of the United States to deliver PDF attachments leading to device code phishing, but the email was completely blank.

Figure: TA4903 email with a blank lure.

Figure: Email impersonating the U.S. court system, with a blank lure.

These campaigns suggest that portions of the campaign may be automated, and the actor is either unfamiliar with how (or too lazy) to create believable social engineering to go along with their PDF attachments and colorful device code phishing landing pages. Or, the actor made a mistake, and they forgot that important component of their email threat campaign. Either way, it is not very realistic.

Device code phishing is not limited to English-speakers. Proofpoint has observed the technique in multiple languages targeting organizations globally.

Figure: Device code phishing landing pages in Spanish (left) and German (right).

Many device code phishing campaigns use the layouts as documented above, using a handful of the same colors, with a box around the generated device code and details on how to copy and login to the target account. Others get more creative, like the following campaign observed in March 2026. In this campaign impersonating Microsoft, the threat actor pretended to send security or product notifications. The URL in the email led to a landing page impersonating Microsoft with the generated device code on the left side of the page.

Figure: Microsoft impersonation landing page containing actor-generated device code.

Proofpoint has also observed campaigns that direct to a landing page where the user must first input their email address, then will be redirected to the device code phishing landing page to retrieve the code. This example is from the ARTokens kit.

Figure: ARTokens landing page.

Despite the extensive use of AI by many of the threat actors creating and/or distributing device code phishing, the observed campaigns are not typically sophisticated. In many cases, actors are exposing their infrastructure, usernames, email addresses, stolen information, or other sensitive details to the public, due to not properly securing AI-generated panels, HTML code, or infrastructure. These OpSec failures have helped identify or otherwise classify the wave of new implementations. (We are not publicly sharing the details of these operational security failures, as we do not want to help criminals get better.)

Pivot to Device Code

Evidence suggests that threat actors who distributed AiTM phishing are now pivoting to device code phishing. In fact, following the disruption to a significant portion of the infrastructure in February 2026, Tycoon 2FA’s operator began selling device code PhaaS as part of its offerings.

While Tycoon 2FA activity has significantly decreased post-disruption, Proofpoint still observes some campaigns using the service, including device code campaigns. Interestingly, the Tycoon 2FA device code landing page looks very similar to EvilTokens.

Figure: Tycoon 2FA device code landing page.

Proofpoint researchers also recently identified the ODx PhaaS providing device code capabilities in addition to their AiTM offerings. ODx is one of the most popular AiTM kits currently. It’s also tracked as Storm-1167 and FlowerStorm.

In the observed campaign, the actor used compromised senders to deliver URLs leading to the ODx device code phishing landing page. The landing pages included multiple different themes including impersonating SharePoint, Adobe, and Docusign.

Figure: ODx device code landing page.

ODx’s device code capabilities are using Kali365, a device code PhaaS. Kali365 is just one of many such kits available for purchase. It’s unclear whether ODx stole or purchased Kali365, or partnered with them to integrate directly into their service.

Figure: Kali365 portal.

Researchers have also observed campaigns distributing device code phishing that include artifacts of previous AiTM phishing attempts. In one campaign observed in April, the threat actor distributed PDFs masquerading as SharePoint documents with URLs leading to device code landing pages.

Figure: SharePoint PDF lure (left) and device code landing page (right).

But interestingly, the PDF’s metadata contained an unintentional URL artifact. Though currently inactive, this URL artifact was associated with Tycoon in April 2025. It is likely the threat actor was reusing PDF lures but not fully removing old content. This indicates that threat actors who previously used the Tycoon PhaaS may be moving to device code phishing instead. This campaign was not attributed to either EvilTokens or Tycoon, using one of the many other variants instead.

Technique Proliferation

Similarities can be drawn between the popularity and recent explosion of device code phishing and another favored technique that also recently took over the threat landscape: ClickFix. ClickFix emerged as a unique social engineering technique in 2024, used by a small number of cybercriminals. With it, threat actors trick people into copying, pasting, and running scripts on their host. The copy/paste social engineering technique is also used in device code phishing.

In less than a year, ClickFix took off across the landscape – both with cybercrime and espionage threat actors – before becoming a staple of modern threat campaigns used by many different adversaries.

Both ClickFix and device code phishing rely on social engineering. An actor must convince a user to take a risky action (copying information provided) and pasting it somewhere they shouldn’t (like a terminal window or in the Microsoft 365 authentication flow). Both techniques also started out relatively small, with threat actors appearing to experiment, before growing into prominent threats that are now available to be purchased as services on crime forums.

New, effective techniques follow similar patterns: a small number of criminals innovate and once they find success, everyone else follows.

The rapid uptake and sustained use of device code phishing suggest threat actors find it very effective. This could be because the attack chain may still be unfamiliar to users who think they are just following the proper authentication prompts, and LLM-generated landing pages make them look somewhat believable.

Device code phishing represents the latest evolution in credential theft, exploiting legitimate authentication flows to bypass modern security controls. As security gets better, and users get more knowledgeable, hackers need to try new tricks. Although AI has lowered barriers to entry and accelerated development, it has simultaneously introduced exploitable weaknesses through OpSec failures and poor implementation, showing that just because someone has more tools to do crime, doesn’t mean they’re always good at it.

Recommendations

The good news is, defense against device code phishing remains the same, regardless of the kit being used or method of delivery.

Block device code flow where possible 

The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report only mode, or the “Policy impact” viewed over historic sign in log records, to determine the impact for an environment.  

If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases. For example, only enabling device code authentication for approved users, operating systems, or IP ranges such as using “Named locations”. 

Require compliant or joined devices 

If organizations use device registration or Intune, Conditional access policies requiring that sign ins originate from a compliant or registered device will protect users from device code phishing. This should be deployed as a defense in depth strategy, as there will likely be exclusions from this requirement, when compared with a dedicated device code flow policy.  

Enhance user awareness regarding device code phishing attacks  

Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal hxxps://microsoft.com/devicelogin. User training should include guidance on not entering device codes received from untrusted sources. 

Example Emerging Threats Rules

2069030 DeviceCode Phishing Landing Page Observed

2867149 DeviceCode Phishing Landing Page Observed

2867150 DeviceCode Phishing Landing Page Observed

2867151 DeviceCode Phishing Landing Page Observed

2867154 Observed DNS Query to device code Phishing Domain

2867158 Observed device code Phishing Domain in TLS SNI

2867169 DeviceCode Phishing API Activity (GET)

2867170 DeviceCode Phishing API Response

2068813 Wahala Microsoft OAuth device code Landing Page 2026-04-16

2068814 Successful Wahala Microsoft OAuth device code Attack, Polling for User Validated Tokens

2068628 Generic device code Landing Page 2026-04-07

2068629 EvilTokens Fetch Valid user_code from Microsoft API

2068630 EvilTokens Poll for user_code Authentication Status

Example Indicators of Compromise

Indicator

Description

First Seen

onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Landing

26 March 2026

voicemail-59f[.]admin-treyripple-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Landing

24 March 2026

voicemail-wx7[.]mark-squires-expressrancnes-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Landing

24 March 2026

voicemail-lyr[.]nbuckley-cambek-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Domain

24 March 2026

f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Landing

1 May 2026

ytgw-9n30-xlwd[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev

EvilTokens Device Code Phishing Landing

1 May 2026

z6e43e5886fe-endpoint[.]com

Device Code Phishing Domain

5 May 2026

019d442e-endpoint[.]com

Device Code Phishing Domain

5 May 2026

jo2c9ada427c6-endpoint[.]com

Device Code Phishing Domain

5 May 2026

7806d4cf9366-endpoint[.]com

Device Code Phishing Domain

5 May 2026

ee10bbf6c689-endpoint[.]com

Device Code Phishing Domain

5 May 2026

yaga9b286ae2c101-endpoint[.]com

Device Code Phishing Domain

5 May 2026

f36c2774f013-endpoint[.]com

Device Code Phishing Domain

5 May 2026

2dc62559e005-endpoint[.]com

Device Code Phishing Domain

5 May 2026

4daa2aea93db-endpoint[.]com

Device Code Phishing Domain

5 May 2026

ed5ce47d835f-endpoint[.]com

Device Code Phishing Domain

5 May 2026

6dd5fd945b34-endpoint[.]com

Device Code Phishing Domain

5 May 2026

0fdba029e6a5-endpoint[.]com

Device Code Phishing Domain

5 May 2026

019d442a-endpoint[.]com

Device Code Phishing Domain

5 May 2026

019d6860-endpoint[.]com

Device Code Phishing Domain

5 May 2026

stablewebsystems[.]de