The Rise of Device Code Phishing: How Adversaries are Weaponizing OAuth Workflows

The threat landscape is witnessing a sophisticated pivot as hackers rapidly weaponize a specialized Microsoft authentication feature to hijack enterprise accounts. This surge in device code phishing represents a significant shift in how modern adversaries bypass traditional security perimeters.This escalation isn’t accidental; it is fueled by the proliferation of highly specialized criminal toolkits and Phishing-as-a-Service (PhaaS) platforms.

These services have democratized high-level exploitation, moving the technique from the realm of obscure research to widespread, industrial-scale deployment.

We are seeing a weekly influx of new kits, many of which appear to be refined through “vibe coding”—a process where attackers leverage AI to replicate or slightly iterate upon existing attack chains, creating near-identical, high-velocity campaigns with minimal manual overhead.

As organizations harden their defenses against direct credential theft and standard Multi-Factor Authentication (MFA) bypasses, attackers are evolving. Instead of fighting the authentication gate, they are subverting the workflow itself. Rather than stealing a password, they trick users into authorizing a malicious application, effectively granting the attacker persistent, legitimate access to the environment.

Security researchers at Proofpoint have issued warnings regarding the abuse of the OAuth device authorization flow. By exploiting this specific mechanism, attackers can steal Microsoft 365 access tokens, enabling stealthy account takeovers that often bypass legacy detection logic.

In a standard deployment, a victim is targeted via phishing emails containing malicious links, attachments, or QR codes—often impersonating trusted entities such as Microsoft, DocuSign, or Adobe. Upon clicking the link, the victim is funneled into a legitimate Microsoft device login sequence. The user is prompted to enter a unique device code into an official Microsoft landing page.

EvilTokens landing page (Source : Proofpoint).
EvilTokens landing page (Source: Proofpoint).

This is the critical failure point. By inputting the code, the user unknowingly authorizes an application controlled by the adversary. Once the authorization is complete, Microsoft issues authentication tokens to the attacker’s application, providing a direct pipeline to the victim’s email, cloud storage, and interconnected enterprise services.

The Industrialization of OAuth Exploitation

A major technical driver behind this recent surge is the move toward on-demand device code generation. Historically, these attacks were hindered by the short lifespan of pre-generated codes (typically 15 minutes). Modern phishing kits have solved this by generating codes dynamically at the moment of the click, ensuring the attack window is always open and ready for exploitation.

Infrastructure such as EvilTokens, which emerged on Telegram in early 2026, has effectively industrialized this process. These platforms provide end-to-end automation, including ready-made templates and management dashboards, allowing affiliates to scale Business Email Compromise (BEC) campaigns with minimal technical expertise.

Multiple device code phishing landing pages (Source : Proofpoint).
Multiple device code phishing landing pages (Source: Proofpoint).

Furthermore, threat actors are utilizing “account takeover jumping.” By compromising a single legitimate account, they use it to distribute phishing lures to internal colleagues or trusted external contacts. This leverages the inherent trust of internal communications, drastically increasing the success rate of the campaign.

One prominent actor, tracked as TA4903, has pivoted almost exclusively to device code phishing in 2026. Their tactics involve impersonating HR or government agencies through PDF attachments containing QR codes. These codes redirect users through a complex chain of cloud-hosted infrastructure to convincing, albeit malicious, authorization pages.

TA4903 landing page impersonating Microsoft and DocuSign (Source : Proofpoint).
TA4903 landing page impersonating Microsoft and DocuSign (Source: Proofpoint).

Interestingly, the reliance on automated tools has led to lapses in Operational Security (OPSEC). Researchers have noted campaigns with blank email bodies and exposed infrastructure details, suggesting that while the toolkits are sophisticated, the operators themselves may be operating with a superficial understanding of the underlying mechanics.

This shift follows the disruption of previous Adversary-in-the-Middle (AiTM) services like Tycoon 2FA. As those services face pressure, new competitors like ODx and Kali365 are filling the void by integrating native device code capabilities.

Ultimately, the success of these attacks relies on high-level social engineering. Similar to the “ClickFix” trend, attackers rely on the user’s willingness to perform a seemingly “routine” administrative task. A recent campaign in April demonstrated this by masquerading SharePoint documents as PDFs to lure victims into the device code workflow.

SharePoint PDF lure (left) and device code landing page (right) (Source : Proofpoint).
SharePoint PDF lure (left) and device code landing page (right) (Source: Proofpoint).

The consequences of a successful breach are severe, ranging from data exfiltration and financial fraud to providing the initial foothold for ransomware deployment and long-term espionage. To defend against this, security teams should prioritize Conditional Access Policies to restrict or block device code authentication flows, ensuring they are only permitted for managed devices within trusted network segments.

Indicators of Compromise (IoCs)

Indicator Description First Seen
onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Landing 26 March 2026
voicemail-59f[.]admin-treyripple-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Landing 24 March 2026
voicemail-wx7[.]mark-squires-expressrancnes-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Landing 24 March 2026
voicemail-lyr[.]nbuckley-cambek-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Domain 24 March 2026
f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Landing 1 May 2026
ytgw-9n30-xlwd[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev EvilTokens Device Code Phishing Landing 1 May 2026
z6e43e5886fe-endpoint[.]com Device Code Phishing Domain 5 May 2026
019d442e-endpoint[.]com Device Code Phishing Domain 5 May 2026
jo2c9ada427c6-endpoint[.]com Device Code Phishing Domain 5 May 2026
7806d4cf9366-endpoint[.]com Device Code Phishing Domain 5 May 2026
ee10bbf6c689-endpoint[.]com Device Code Phishing Domain 5 May 2026
yaga9b286ae2c101-endpoint[.]com Device Code Phishing Domain 5 May 2026
f36c2774f013-endpoint[.]com Device Code Phishing Domain 5 May 2026
2dc62559e005-endpoint[.]com Device Code Phishing Domain 5 May 2026
4daa2aea93db-endpoint[.]com Device Code Phishing Domain 5 May 2026
ed5ce47d835f-endpoint[.]com Device Code Phishing Domain 5 May 2026
6dd5fd945b34-endpoint[.]com Device Code Phishing Domain 5 May 2026
0fdba029e6a5-endpoint[.]com Device Code Phishing Domain 5 May 2026
019d442a-endpoint[.]com Device Code Phishing Domain 5 May 2026
019d6860-endpoint[.]com Device Code Phishing Domain 5 May 2026
stablewebsystems[.]de ODx Device Code Phishing Domain 30 April 2026
marktkarree-langenfeld[.]de ODx Device Code Phishing Domain 30 April 2026
crediblebizextension[.]de ODx Device Code Phishing Domain 30 April 2026
servicewithoutinterruption[.]de ODx Device Code Phishing Domain 30 April 2026
marketcredibilitysignals[.]de ODx Device Code Phishing Domain 30 April 2026
kohlhoff-edelstahlverarbeitung[.]de ODx Device Code Phishing Domain 30 April 2026
reliablesupport[.]de ODx Device Code Phishing Domain 30 April 2026
europetrustwave[.]de ODx Device Code Phishing Domain 30 April 2026
trustedengagement[.]de ODx Device Code Phishing Domain 30 April 2026
methodicalness[.]de ODx Device Code Phishing Domain 30 April 2026
extendyourcredibility[.]de ODx Device Code Phishing Domain 30 April 2026
europesignaltrust[.]de ODx Device Code Phishing Domain 30 April 2026
consistentdigital[.]de ODx Device Code Phishing Domain 30 April 2026
uninterruptedperformance[.]de ODx Device Code Phishing Domain 30 April 2026
digitalcontinuity[.]de ODx Device Code Phishing Domain 30 April 2026
digitalreliability[.]de ODx Device Code Phishing Domain 30 April 2026
heilbronner-fruehlingssymposium[.]de ODx Device Code Phishing Domain 30 April 2026
reliableinteractions[.]de ODx Device Code Phishing Domain 30 April 2026
euromarketsignal[.]de ODx Device Code Phishing Domain 30 April 2026
audit-report-9767d3[.]fullerjp09[.]workers.dev TA4903 Device Code Phishing Landing 15 April 2026
hti-245401512[.]hs-sites-na2[.]com TA4903 Device Code Phishing Landing 5 April 2026
7740f766-8d1d-46ad-a6bc-onedrive[.]p-9jluifuu[.]workers[.]dev ARToken Device Code Landing 2 May 2026
panel[.]hewktree[.]net ARToken Device Code Panel 2 May 2026

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang only within controlled threat intelligence environments such as MISP, VirusTotal, or your enterprise SIEM.

Related Articles

Back to top button