Device code phishing — the technique that abuses the OAuth 2.0 Device Authorization Grant flow to hijack Microsoft 365 accounts — has exploded in 2026. Researchers now report a 37.5x increase in device code phishing pages compared to the start of the year, up from a 15x spike observed in early March. The acceleration is being driven by the rapid adoption of turnkey phishing-as-a-service (PhaaS) platforms, most notably EvilTokens, which launched in February 2026 and has already been linked to the compromise of over 340 organizations across five countries.

How Device Code Phishing Works

The OAuth 2.0 Device Authorization Grant (RFC 8628) was designed for input-constrained devices — think smart TVs or IoT gear that can’t render a browser login. The flow works like this: a device requests a user code from the authorization server, displays it to the user, and the user enters that code on a separate device at a Microsoft verification URL. Once authenticated, the device receives an access token.

Attackers have weaponized this flow. The victim receives a phishing email — often themed around salary reports, shared documents, or IT notifications — containing a link or QR code. That link directs them to Microsoft’s legitimate microsoft.com/devicelogin page, where they enter an attacker-generated code. The victim completes their normal MFA challenge on Microsoft’s real infrastructure. Once authenticated, the attacker’s application receives valid OAuth tokens — access tokens for immediate API access and refresh tokens valid for up to 90 days.

This is what makes the technique so dangerous: MFA doesn’t help. The user authenticates through Microsoft’s legitimate flow, satisfying all MFA requirements. The attacker never sees or needs the victim’s password.

The PhaaS Ecosystem

Three kits are driving the surge:

EvilTokens is the most prominent. Sold on Telegram, it provides complete campaign automation: decoy phishing pages, automated Microsoft API interaction, email delivery from compromised trusted senders, and LLM-generated phishing lures. Sekoia’s Threat Detection & Research team disclosed the platform in late March 2026 after tracking over 1,000 active phishing domains within weeks of its launch. EvilTokens has been observed targeting construction, nonprofits, real estate, manufacturing, financial services, healthcare, legal, and government sectors.

SquarePhish2 is an updated version of Dell Secureworks’ original SquarePhish tool. It integrates QR codes and automates the device code flow with a 15-minute expiration window — the attacker waits for the victim to scan the QR code before triggering the OAuth flow, maximizing the chance the code is used before it expires.

Graphish takes a different angle, leveraging Azure App Registrations and adversary-in-the-middle capabilities. It requests broad Microsoft Graph API permissions, enabling data exfiltration, lateral movement, and persistence through long-lived refresh tokens.

Attribution

Multiple threat clusters are active. Proofpoint has linked campaigns to TA2723, suspected of using both SquarePhish2 and Graphish across different campaign waves. A Russia-aligned actor tracked as UNK_AcademicFlare has been targeting government, academic, think tank, and transportation sectors in the U.S. and Europe using compromised government and military email accounts for initial rapport-building before delivering device code phishing links. The earlier Storm-2372 campaigns documented by Microsoft in February 2025 appear to have served as a proof-of-concept that catalyzed broader adoption.

Impact

Once an attacker holds valid OAuth tokens, the blast radius is significant. They get full access to the victim’s mailbox, OneDrive, SharePoint, and Teams via the Microsoft Graph API. Refresh tokens can be silently renewed for months. Because there are no stolen passwords and no foreign IP sign-ins (if tokens are proxied carefully), traditional detection signals often miss the compromise entirely.

The 340+ organizations confirmed compromised by EvilTokens alone likely represents the floor. Many organizations lack visibility into device code authentication events in their Entra ID logs.

Detection and Mitigation

Immediate actions:

  1. Block device code authentication via Conditional Access in Microsoft Entra ID for all users who don’t explicitly need it. This is the single most effective control.
  2. Audit sign-in logs in the Entra admin center. Filter for authentications where the authentication method is “Device code flow” — any entries from unexpected IPs, locations, or user agents are suspect.
  3. Hunt for anomalous spikes in device code flow usage across your tenant. Baseline normal volume and alert on deviations.
  4. Check for Railway.com source IPs — EvilTokens infrastructure has been observed using Railway.com hosting.
  5. Deploy phishing-resistant MFA (FIDO2 security keys or Windows Hello for Business). These bind authentication to specific devices and cannot be proxied through a device code flow.

Longer-term hardening:

  • Restrict OAuth app consent to admin-approved applications only.
  • Implement token protection policies (token binding) where supported.
  • Review and revoke any suspicious OAuth application grants in your tenant.
  • Run targeted security awareness training that specifically covers device code phishing — most users have never seen this attack pattern and won’t recognize it.

The Bigger Picture

Device code phishing represents a fundamental challenge for identity infrastructure: it exploits a legitimate protocol feature, not a vulnerability. There’s no CVE to patch. The defense is architectural — removing unnecessary authentication flows from your tenant and ensuring your Conditional Access policies account for OAuth abuse. If you’re running Microsoft 365 and haven’t explicitly blocked device code authentication, assume you’re exposed.

Sources: