From Spy Tradecraft to Strip-Mall Crime
Eighteen months ago, device code phishing was a niche technique associated almost exclusively with Russian state-linked intrusion crews. As of late June 2026, it is a criminal commodity. Researchers at Push Security, working alongside threat intelligence firm Sekoia, report that detections of device code phishing pages have climbed 37.5 times higher this year, up from a 15x increase measured at the start of March. The driver of that curve is not a new vulnerability. It is commoditization. At least eleven commercial phishing-as-a-service kits now offer the technique to anyone willing to pay, with some platforms renting access for as little as 50 dollars a week.
Push Security put the trajectory bluntly in its research, noting that the figure it had been tracking at 15x in March had risen to 37.5x by the time of writing. What changed was not the underlying flaw, which was documented as far back as 2020, but the supply chain feeding it. When a technique requires custom infrastructure and operator skill, it stays rare. When a vendor packages it into a point-and-click kit with anti-bot evasion and SaaS-themed lures baked in, it scales to the entire criminal market overnight.
How the Attack Actually Works
Device code phishing exploits a legitimate authentication flow designed for input-constrained devices like smart TVs and conference room displays. The attacker initiates a device authorization request to a provider such as Microsoft and receives a short code. That code is then sent to the victim under a believable pretext, often a Teams meeting invite, a DocuSign request, or a SharePoint file share. The victim enters the code on the genuine Microsoft login page, sees nothing suspicious because the page is real, and unknowingly authorizes the attacker's device. No password is captured and no fake login form is needed.
The elegance, from the attacker's perspective, is that everything the victim touches is legitimate. The lure may redirect through trusted hosts like workers.dev, vercel.app, or github.io, but the final authentication happens on Microsoft's own infrastructure. That is why traditional credential-phishing defenses miss it. There is no spoofed domain to flag and no harvested password to detect. The victim simply hands over a session by approving what looks like a routine sign-in request.
Meet the Kits
Push Security tracks EvilTokens, also marketed as ANTIBOT, as the most prevalent kit in the wild. It runs a Cloudflare Workers frontend against a Railway backend, layers in bot detection and evasion, and uses a pop-up window for device code entry to reduce victim friction. Its lure themes impersonate Outlook, SharePoint, Teams, DocuSign, and Adobe. A second major kit, VENOM, is a closed-source operation whose device code component appears to be an EvilTokens clone, bundled with adversary-in-the-middle capabilities and lures impersonating DHL, FedEx, and DocuSign verification pages.
Beyond those two, researchers identified a long tail of kits including SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE. Each uses realistic SaaS-themed lures, anti-bot protections, and abuses legitimate cloud platforms for hosting. The diversity is the point. A defender who builds detection around one kit's infrastructure finds it useless against the next, and the catalog keeps growing as the market rewards differentiation.
Why Password Resets Will Not Save You
The strategic danger of device code phishing is what the attacker walks away with: OAuth access tokens, refresh tokens, and ID tokens rather than a password. These tokens survive password resets and credential rotation, which means the standard incident-response reflex of forcing a password change does nothing to evict the intruder. When targeting Microsoft, attackers can escalate to a Primary Refresh Token, granting seamless single sign-on across every Entra ID-connected application. Family of Client IDs abuse lets a single phished token pivot across Office, Outlook, Teams, OneDrive, SharePoint, and the Azure Management API.
That persistence reframes the entire detection and response problem. An organization that catches a device code phishing victim and dutifully resets the password has not contained the breach at all. Effective response requires revoking the issued refresh tokens and invalidating the authorized sessions, a step many help desks are not trained to take. The gap between what defenders instinctively do and what the attack actually requires is exactly the gap these kits are built to exploit.
What Enterprises Should Do Now
The good news is that device code phishing has concrete countermeasures, and most enterprises can deploy them without buying new tooling. In Microsoft Entra ID, conditional access policies can block the device code flow entirely for users and locations that never legitimately need it, which describes the overwhelming majority of a typical workforce. Limiting which applications can request device codes shrinks the attack surface further. For organizations that cannot disable the flow outright, monitoring for device code grants from unexpected geographies or unmanaged devices is a high-signal detection.
We would urge security leaders to treat the 37x figure as a leading indicator rather than a curiosity. Techniques that move from state actors to commodity kits do not slow down once they are profitable, and EvilTokens and its imitators have proven the model works. The OAuth token economy that underpins modern SaaS is now a phishing target in its own right, and the password-centric defenses most organizations still rely on were never designed to protect it. Closing the device code flow is a small change. Failing to close it is an open invitation.
