Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Device Code Phishing Is Moving Into Criminal Toolkits

Marcus Chen··8 min read
Security analyst reviewing a suspicious device login code on a laptop

Industry News: Device Codes Are Becoming a Phishing Shortcut

SecurityBrief reported on May 15, 2026 that device code phishing is surging across criminal toolkits, based on new Proofpoint research. The finding matters because this technique does not rely on a fake Microsoft login page. Instead, attackers abuse a legitimate device authorization flow and persuade users to enter a code on a real Microsoft page.

Proofpoint's own May 13, 2026 analysis describes the shift as an evolution in identity takeover. Device code phishing has existed for years, but it is now spreading through public tools, custom kits, and phishing-as-a-service offerings. That commercialization lowers the skill required to run campaigns and gives more criminal actors access to a technique that can bypass the habits employees were taught for older credential phishing.

The user experience is what makes the attack deceptive. A victim may receive a link, PDF, button, or QR code that leads to an attacker-controlled landing page. That page displays a code and sends the user to Microsoft's legitimate device login portal. If the user enters the code and completes authentication, the attacker can validate an actor-controlled session and gain access to the account.

How the Attack Differs from Classic Credential Phishing

Classic credential phishing asks users to type a password into a fake page. Adversary-in-the-middle phishing proxies a real login flow to steal session tokens. Device code phishing takes a different route: it uses the legitimate OAuth device authorization process, which was designed for devices that cannot easily support normal browser sign-in.

That difference creates a training challenge. Employees may look at the browser address bar and see a real Microsoft domain. They may not be asked to type their password into an obviously fake page. The suspicious part is not the final Microsoft page itself. The suspicious part is that an untrusted message or document told them to enter a device code they did not request.

Proofpoint highlights another important change: on-demand code generation. Older versions required attackers to create a code in advance, which often expired before the victim acted. Current kits can generate the code when the user clicks the phishing link. That removes much of the timing pressure for the attacker and makes campaigns easier to run at scale.

Successful attacks can lead to account takeover, theft of sensitive data, fraud, business email compromise, lateral movement, and ransomware exposure. This is why security teams should treat device code phishing as an identity threat, not just another email lure.

Toolkits Are Making the Technique Easier to Reuse

The SecurityBrief report points to device code functionality spreading through criminal services and bespoke kits. Proofpoint names EvilTokens as one of the most visible device code phishing services in circulation. The service has been advertised with landing pages themed around brands such as Microsoft, Adobe, and DocuSign, and it can help generate much of the attack chain.

Proofpoint also observed multiple variants that look similar to EvilTokens. In one 10-day period in April 2026, researchers saw around seven distinct variants with nearly identical visual flows. Some differences were visible in API endpoints and HTML headers, suggesting that criminals may be copying tools, buying access to the same service, or using AI-assisted code generation to create near-matching kits.

That matters for defenders because it means the visible page may not be unique to one actor. Blocking one domain or one exact template is useful, but the broader pattern is what needs to be recognized: an unexpected message sends the user to a page that produces a code, and the user is instructed to enter it into a legitimate authentication portal.

Campaign Examples Show the Human Pressure Point

Proofpoint describes a shift by TA4903, a financially motivated actor previously associated with business email compromise and impersonation of small businesses and government entities. In March 2026, the actor began using device code phishing heavily and now appears to rely on it for much of its activity.

One campaign impersonated a human resources contact and sent salary notification emails with PDF attachments. The PDF contained a QR code that redirected through Cloudflare Workers infrastructure to filtering and landing pages that borrowed DocuSign and Microsoft themes. The final step asked the user to enter a signing code into the legitimate Microsoft device authentication portal.

This is not sophisticated because every email is perfect. In fact, Proofpoint notes that some campaigns had blank email bodies and relied almost entirely on attached PDFs and QR codes. That weak tradecraft is still dangerous because the landing flow can look polished, the final Microsoft portal is real, and the user may be focused on the supposed document, salary notice, invoice, or court message rather than on the authentication implication.

The technique is also not limited to English-language campaigns. Proofpoint observed device code phishing in multiple languages and against organizations globally, which means multinational companies and MSPs should not treat this as a regional issue.

AiTM Actors Are Pivoting Toward Device Codes

Another important signal is the overlap with adversary-in-the-middle phishing. SecurityBrief noted that Tycoon 2FA began offering device code phishing after disruption to parts of its infrastructure, and ODx, also tracked as Storm-1167 and FlowerStorm, has been observed with device code functions. Proofpoint also found campaign artifacts suggesting that some actors are reusing older AiTM materials while moving into device code operations.

This follows a familiar pattern. Once defenders and users become better at one phishing style, criminal services add another option. The goal is not novelty for its own sake. The goal is to keep the victim moving through a believable flow until the attacker receives an identity token, mailbox access, or a foothold for fraud.

For security leaders, the lesson is to avoid training that only says, "check whether the login page is real." That advice is incomplete here. The login page can be real and the action can still authorize an attacker.

Where empowsec Fits in the Response

Device code phishing is a strong candidate for awareness training because the employee decision point is specific and teachable. The risky action is entering a code that came from an untrusted email, PDF, QR code, chat message, or web page. Employees need to understand that a code is not harmless just because the final page is Microsoft.

empowsec can help organizations rehearse that decision path with current phishing simulations and short lessons. A realistic scenario can show a shared document, salary notice, DocuSign-style prompt, or QR code that asks the user to copy a device code. The goal is to measure whether employees pause, question the source, and report the message instead of completing the flow.

Reporting is especially important. Device code campaigns can move quickly from one compromised mailbox to contacts, vendors, and internal teams. Early reports give defenders a chance to block infrastructure, revoke sessions, warn users, and check identity logs before the attack turns into business email compromise.

What Security Teams Should Do Now

  • Review conditional access. If device code flow is not needed, block it. If it is needed, limit it to approved users, devices, locations, or managed scenarios.
  • Update awareness guidance. Teach employees never to enter a device code from an unsolicited message, PDF, QR code, or support prompt.
  • Refresh phishing simulations. Add scenarios that involve QR codes, document-signing lures, salary notices, and Microsoft device code prompts.
  • Monitor identity signals. Look for unusual device code authentication events, unexpected OAuth grants, suspicious session behavior, and mailbox activity after authentication.
  • Revoke and investigate quickly. If a user entered a code, reset sessions, review OAuth app permissions, inspect mailbox rules, and look for outbound phishing or BEC activity.

Key Takeaways

Device code phishing is effective because it shifts trust from a fake page to a real authentication portal. The attack asks the user to complete a legitimate process for an illegitimate request.

  • The final Microsoft page can be real. The suspicious signal is the unsolicited instruction to enter a code.
  • On-demand code generation helps attackers scale. Victims no longer need to act inside a narrow pre-generated code window.
  • PhaaS offerings are spreading the method. EvilTokens, Tycoon 2FA, ODx, and similar kits show that device code phishing is becoming part of the criminal market.
  • Training needs to evolve. "Check the URL" is not enough when attackers are abusing real authentication workflows.
  • Controls and behavior work together. Conditional access can reduce exposure, while practiced reporting helps catch campaigns that still reach users.

For defenders, this is the practical message: do not treat device codes as a technical edge case. Treat them as a new social-engineering script that employees need to recognize before they authorize access.

Tags: #employee training #MFA #device code phishing #Microsoft 365 #PhaaS #identity security
Share:

Related Articles