The Rise of Device Code Phishing: How Adversaries are Weaponizing OAuth Workflows
The threat landscape is witnessing a sophisticated pivot as hackers rapidly weaponize a specialized Microsoft authentication feature to hijack enterprise accounts. This surge in device code phishing represents a significant shift in how modern adversaries bypass traditional security perimeters.This escalation isn’t accidental; it is fueled by the proliferation of highly specialized criminal toolkits and Phishing-as-a-Service (PhaaS) platforms.
These services have democratized high-level exploitation, moving the technique from the realm of obscure research to widespread, industrial-scale deployment.
We are seeing a weekly influx of new kits, many of which appear to be refined through “vibe coding”—a process where attackers leverage AI to replicate or slightly iterate upon existing attack chains, creating near-identical, high-velocity campaigns with minimal manual overhead.
As organizations harden their defenses against direct credential theft and standard Multi-Factor Authentication (MFA) bypasses, attackers are evolving. Instead of fighting the authentication gate, they are subverting the workflow itself. Rather than stealing a password, they trick users into authorizing a malicious application, effectively granting the attacker persistent, legitimate access to the environment.
Security researchers at Proofpoint have issued warnings regarding the abuse of the OAuth device authorization flow. By exploiting this specific mechanism, attackers can steal Microsoft 365 access tokens, enabling stealthy account takeovers that often bypass legacy detection logic.
In a standard deployment, a victim is targeted via phishing emails containing malicious links, attachments, or QR codes—often impersonating trusted entities such as Microsoft, DocuSign, or Adobe. Upon clicking the link, the victim is funneled into a legitimate Microsoft device login sequence. The user is prompted to enter a unique device code into an official Microsoft landing page.

This is the critical failure point. By inputting the code, the user unknowingly authorizes an application controlled by the adversary. Once the authorization is complete, Microsoft issues authentication tokens to the attacker’s application, providing a direct pipeline to the victim’s email, cloud storage, and interconnected enterprise services.
The Industrialization of OAuth Exploitation
A major technical driver behind this recent surge is the move toward on-demand device code generation. Historically, these attacks were hindered by the short lifespan of pre-generated codes (typically 15 minutes). Modern phishing kits have solved this by generating codes dynamically at the moment of the click, ensuring the attack window is always open and ready for exploitation.
Infrastructure such as EvilTokens, which emerged on Telegram in early 2026, has effectively industrialized this process. These platforms provide end-to-end automation, including ready-made templates and management dashboards, allowing affiliates to scale Business Email Compromise (BEC) campaigns with minimal technical expertise.

Furthermore, threat actors are utilizing “account takeover jumping.” By compromising a single legitimate account, they use it to distribute phishing lures to internal colleagues or trusted external contacts. This leverages the inherent trust of internal communications, drastically increasing the success rate of the campaign.
One prominent actor, tracked as TA4903, has pivoted almost exclusively to device code phishing in 2026. Their tactics involve impersonating HR or government agencies through PDF attachments containing QR codes. These codes redirect users through a complex chain of cloud-hosted infrastructure to convincing, albeit malicious, authorization pages.

Interestingly, the reliance on automated tools has led to lapses in Operational Security (OPSEC). Researchers have noted campaigns with blank email bodies and exposed infrastructure details, suggesting that while the toolkits are sophisticated, the operators themselves may be operating with a superficial understanding of the underlying mechanics.
This shift follows the disruption of previous Adversary-in-the-Middle (AiTM) services like Tycoon 2FA. As those services face pressure, new competitors like ODx and Kali365 are filling the void by integrating native device code capabilities.
Ultimately, the success of these attacks relies on high-level social engineering. Similar to the “ClickFix” trend, attackers rely on the user’s willingness to perform a seemingly “routine” administrative task. A recent campaign in April demonstrated this by masquerading SharePoint documents as PDFs to lure victims into the device code workflow.

The consequences of a successful breach are severe, ranging from data exfiltration and financial fraud to providing the initial foothold for ransomware deployment and long-term espionage. To defend against this, security teams should prioritize Conditional Access Policies to restrict or block device code authentication flows, ensuring they are only permitted for managed devices within trusted network segments.
Indicators of Compromise (IoCs)
| Indicator | Description | First Seen |
|---|---|---|
| onedrive-7tu[.]techroboticslabmade-techie-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 26 March 2026 |
| voicemail-59f[.]admin-treyripple-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 24 March 2026 |
| voicemail-wx7[.]mark-squires-expressrancnes-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 24 March 2026 |
| voicemail-lyr[.]nbuckley-cambek-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Domain | 24 March 2026 |
| f8uh-dwam-j4l5[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 1 May 2026 |
| ytgw-9n30-xlwd[.]pvasquez-princetonpartners-com-s-account[.]workers[.]dev | EvilTokens Device Code Phishing Landing | 1 May 2026 |
| z6e43e5886fe-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d442e-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| jo2c9ada427c6-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 7806d4cf9366-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| ee10bbf6c689-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| yaga9b286ae2c101-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| f36c2774f013-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 2dc62559e005-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 4daa2aea93db-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| ed5ce47d835f-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 6dd5fd945b34-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 0fdba029e6a5-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d442a-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| 019d6860-endpoint[.]com | Device Code Phishing Domain | 5 May 2026 |
| stablewebsystems[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| marktkarree-langenfeld[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| crediblebizextension[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| servicewithoutinterruption[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| marketcredibilitysignals[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| kohlhoff-edelstahlverarbeitung[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| reliablesupport[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| europetrustwave[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| trustedengagement[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| methodicalness[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| extendyourcredibility[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| europesignaltrust[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| consistentdigital[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| uninterruptedperformance[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| digitalcontinuity[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| digitalreliability[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| heilbronner-fruehlingssymposium[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| reliableinteractions[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| euromarketsignal[.]de | ODx Device Code Phishing Domain | 30 April 2026 |
| audit-report-9767d3[.]fullerjp09[.]workers.dev | TA4903 Device Code Phishing Landing | 15 April 2026 |
| hti-245401512[.]hs-sites-na2[.]com | TA4903 Device Code Phishing Landing | 5 April 2026 |
| 7740f766-8d1d-46ad-a6bc-onedrive[.]p-9jluifuu[.]workers[.]dev | ARToken Device Code Landing | 2 May 2026 |
| panel[.]hewktree[.]net | ARToken Device Code Panel | 2 May 2026 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang only within controlled threat intelligence environments such as MISP, VirusTotal, or your enterprise SIEM.