Microsoft’s device-code login flow is becoming a shortcut for initial access.
Researchers with LevelBlue’s SpiderLabs team say phishing kits are increasingly weaponizing OAuth device-code authentication, a legitimate Microsoft sign-in flow originally designed for devices that do not have easy input, such as shared devices, conference room hardware, printers or digital signage
“Device code flow attacks have surged, driven by the emergence of phishing kits supporting the technique. Activity is ongoing and peaking in May 2026,” wrote John Kevin Adriano, security researcher at LevelBlue.
The attack does not need to steal a password in the usual way. Instead, the attacker starts a device-code authentication session, gets a short code from Microsoft, and tricks the victim into entering that code on Microsoft’s real device-login page. If the victim signs in and approves the prompt, Microsoft issues access and refresh tokens to the attacker-controlled session.
The victim is not typing a password into a fake Microsoft form. They are authenticating with Microsoft. The problem is that they are authenticating the attacker’s session.
Adriano said device-code phishing activity has surged in 2026, with observed activity peaking in May. The company said multiple phishing-as-a-service kits now support the technique, including EvilTokens, Kali365, Ghost Hub, Cyb3r and Tycoon2FA.
LevelBlue is not the first to flag the trend. Sekoia’s Threat Detection & Research team identified EvilTokens in February 2026 and tracked its spread through adversary-in-the-middle and business email compromise crews. Push Security, working from its own telemetry, logged a 37.5-fold jump in device-code phishing pages over the course of the year and tied the spike to the same kit. Three vendors, three data sets, one trajectory.
Device-code phishing sits in the gap between user trust, Microsoft 365 identity plumbing and phishing-kit automation. The user sees Microsoft. The attacker gets the token. Security teams are left looking for signs of a legitimate authentication flow used for an illegitimate session.
Phishing kits turn the flow into a product
The technique is not new. Microsoft and Volexity documented device-code phishing in the wild in February 2025, attributing early campaigns to the Russia-aligned cluster Storm-2372. The shift in 2026 is commercial: the technique moved from state-sponsored campaigns into subscription phishing kits.
Adriano said the technique has moved beyond one-off abuse and into commodity phishing infrastructure. EvilTokens and Kali365 were the most prevalent landing-page kits observed by the company, while Tycoon2FA, already known as an adversary-in-the-middle phishing kit, has added device-code phishing to its capabilities.
“AI-augmented post-compromise tooling, such as EvilTokens’ LLaMA-powered (BEC) pipeline, is making financially motivated campaigns more efficient and more damaging. This will reduce the time from token capture to actionable fraud from hours to seconds.”
The campaigns use familiar lures and evasions, including password-protected PDFs, fake Microsoft voicemail notices, DocuSign-themed legal documents, fake Adobe Acrobat Sign requests, QR codes, SVG attachments, compromised Microsoft 365 senders and multi-stage redirect chains. Some campaigns also abuse legitimate services from Adobe, Google and Microsoft as redirectors or hosting infrastructure, making sender and URL reputation checks less useful.
In one observed campaign, LevelBlue said a fake Microsoft voicemail lure passed through multiple URL rewriting services before landing on a Cloudflare Worker endpoint serving an EvilTokens device-code page. In another, a legitimate Adobe document-sharing notification led victims to a malicious PDF hosted through Adobe infrastructure before redirecting to a Ghost Hub device-code lure.
The payload is consent, not malware.
Once the victim enters the device code and completes the Microsoft sign-in, the attacker can receive tokens that may allow access to Microsoft 365 services. LevelBlue said the downstream goals include mailbox access, business email compromise, reconnaissance, follow-on phishing and financial theft.
What defenders should check now
Microsoft already recommends blocking device-code flow wherever it is not needed, and restricting it through Entra Conditional Access where it is. Microsoft Entra Conditional Access policies can be used to block or restrict device-code authentication, and Microsoft recommends blocking the flow wherever possible.
The takeaway for defenders is asking yourself: Is device-code flow actually needed? If the answer is no, disable it.
If the answer is yes, Adriano’s advice is restrict it to approved users, managed devices or trusted locations. Security teams should also monitor Microsoft Entra sign-in logs for device-code activity, unfamiliar locations, unmanaged devices and suspicious authentication patterns.
Organizations should review and strengthen controls around device-code authentication now, before the technique becomes just another standard feature in every serious phishing kit, Adriano said.
