Researchers Warn of Surge in Device Code Phishing Attacks

Recent reports have highlighted a concerning trend in the realm of cybersecurity, with a staggering 37-fold increase in device code phishing attacks utilizing the OAuth 2.0 Device Authorization Grant flow to compromise user accounts.

Device code phishing attacks involve threat actors sending authorization requests to service providers, obtaining codes that are then deceitfully relayed to unsuspecting victims for input on legitimate login pages. This unwitting action grants the attackers access to the victims’ accounts through valid tokens.

The primary purpose of this method was to streamline the connection process for devices lacking direct input capabilities, such as IoT devices, printers, streaming devices, and smart TVs.

While the device code phishing technique was initially documented in 2020, it wasn’t until subsequent years that it was maliciously exploited, attracting the attention of both state-sponsored and financially-motivated threat actors.

Researchers at Push Security have observed a significant uptick in the prevalence of these attacks, cautioning that cybercriminals have widely embraced this nefarious method.

Recently, Sekoia, a threat detection and response company, published research shedding light on the EvilTokens phishing-as-a-service (PhaaS) operation. This operation is a notable example of a phishing kit that simplifies device code phishing, making it accessible even to less skilled cybercriminals.

While EvilTokens has played a pivotal role in popularizing this attack method, Push Security highlights the existence of several competing platforms in the market. These platforms could potentially gain prominence should law enforcement disrupt EvilTokens:

1. VENOM – A closed-source PhaaS kit offering device code phishing and AiTM capabilities, with its device code component resembling EvilTokens.
2. SHAREFILE – A kit themed around Citrix ShareFile document transfers, utilizing node-based backend endpoints to simulate file sharing and trigger device code flows.
3. CLURE – A kit employing rotating API endpoints and an anti-bot gate, featuring SharePoint-themed lures and backend infrastructure on DigitalOcean.
4. LINKID – A kit leveraging Cloudflare challenge pages and self-hosted APIs, using Microsoft Teams and Adobe-themed lures.
5. AUTHOV – A workers.dev-hosted kit employing popup-based device code entry and Adobe document-sharing lures.
6. DOCUPOLL – A kit hosted on GitHub Pages and workers.dev mimicking DocuSign workflows, including replicas of authentic pages.
7. FLOW_TOKEN – A workers.dev-hosted kit utilizing Tencent Cloud backend infrastructure, with HR and DocuSign-themed lures and popup-based flows.
8. PAPRIKA – An AWS S3–hosted kit featuring Microsoft login clone pages with Office 365 branding and a counterfeit Okta footer.
9. DCSTATUS – A minimal kit with generic Microsoft 365 “Secure Access” lures and limited visible infrastructure markers.
10. DOLCE – A Microsoft PowerApps-hosted kit with Dolce & Gabbana–themed lures, possibly a one-off or red-team-style implementation rather than widely used.

Push Security has also released a video demonstrating the functionality of the DOCUPOLL kit, where threat actors exploit DocuSign branding to lure victims into signing into the Microsoft Office application.

In total, there are at least 11 phishing kits offering cybercriminals the means to execute this type of attack, incorporating realistic SaaS-themed lures, anti-bot protections, and leveraging cloud platforms for hosting.

To counter device-code phishing attacks, Push Security recommends users to deactivate the flow when unnecessary by implementing conditional access policies on their accounts. Additionally, monitoring logs for unusual device code authentication events, unknown IP addresses, and sessions is advised.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now