Device Code Phishing Attacks Surge 37x as EvilTokens Kit Goes Mainstream

Summary

Security researchers are sounding the alarm on a massive surge in device code phishing attacks, with detected phishing pages increasing by a staggering 37.5x as of April 2026. The explosive growth is largely driven by EvilTokens, a turnkey Phishing-as-a-Service (PhaaS) kit that launched in February 2026 and is sold through Telegram.

Device code phishing exploits the legitimate OAuth 2.0 Device Authorization Grant flow — originally designed for input-constrained devices like smart TVs. Attackers initiate an OAuth flow, obtain a device code, and trick victims into entering it on a real login page (Microsoft, Google, Salesforce, etc.), effectively hijacking the session and bypassing MFA entirely. EvilTokens takes this further with token persistence via refresh tokens, a built-in AI-powered webmail interface called “MailVault,” and automated BEC capabilities.

Microsoft Defender Security Research has confirmed widespread campaigns with hundreds of daily compromises, primarily targeting Microsoft 365 accounts across the US, Australia, Canada, France, India, Switzerland, and the UAE. The kit circumvents the standard 15-minute device code expiration through automation and dynamic code generation.

Sources

• Push Security — Device Code Phishing Research
• Microsoft Security Blog — AI-Enabled Device Code Phishing Campaign
• BleepingComputer — EvilTokens Fuels Device Code Phishing

Commentary

This is one of those attack patterns that should terrify enterprise security teams. Device code phishing is elegant in its simplicity — it abuses a legitimate OAuth flow, uses real login pages (not cloned ones), and completely sidesteps MFA. The victim thinks they are just logging in normally. The fact that a turnkey kit now makes this accessible to low-skill attackers is a game changer.

The practical defense here is straightforward but often overlooked: use Conditional Access policies to block or restrict the device code flow in your Microsoft 365 tenant. Most organizations do not actually need it enabled. If you are not actively using smart TVs or CLI tools that require device code auth, disable it. That single policy change eliminates this entire attack surface.