Device code phishing attacks surge 37x as new kits spread online

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged markedly in 2026, showing a growth that researchers say numbers in the tens of times rather than the dozens of occurrences seen in earlier years. The core technique involves sending a device authorization request to a service provider and receiving a code, which the attacker then delivers to the victim under a convincing pretext. The victim is tricked into entering that code on the legitimate login page, effectively authorizing the attacker’s device to access the account using valid access and refresh tokens. This flow was originally designed to simplify connections for devices with limited input options—IoT devices, printers, streaming boxes, and smart TVs—yet its convenience has become a vulnerability when abused by threat actors.

Observations from early March 2026 showed a stark escalation. Researchers noted a 15-fold increase in device code phishing pages detected over the year, with multiple kits and campaigns in operation. By the time the latest data was gathered, the figure had climbed to roughly 37.5 times the level seen at the start of the year. A prominent kit named EvilTokens has emerged as the most notable driver of this trend, helping to mainstream the technique among cybercriminals with varying levels of expertise. This rise coincides with a broader wave of phishing-as-a-service (PhaaS) offerings that lower the barrier to entry for criminals seeking to exploit OAuth and device-based authentication flows.

Among the key findings is the emergence of a competitive ecosystem of phishing platforms, each offering its own take on the device code phishing model. EvilTokens remains central to discussions, but researchers have identified a dozen or more platforms that could amplify the reach of this tactic if Law Enforcement actions disrupt one leader. The landscape includes several notable kits and families, each pursuing the same underlying objective: trigger a device code flow through a believable lure and harvest the resulting tokens by steering users to authenticate on familiar services.

A closer look at the ecosystem reveals at least 11 distinct phishing kits currently offering device code phishing capabilities. The names and high-level characteristics of these kits illustrate the breadth and diversity of lure themes, hosting strategies, and anti-bot considerations that attackers deploy to complicate detection and take advantage of cloud-based hosting environments. The lures frequently rely on well-known SaaS brands and document-sharing workflows, aiming to convince victims to sign into an Office 365, ShareFile, or similar account through a page that mirrors legitimate branding. The goal is to create a plausible scenario in which the user believes they are completing a routine authentication step, unaware that they are inadvertently authorizing a malicious device.

Some of the kits in circulation include:

• VENOM: A closed-source PhaaS kit offering both device code phishing and AiTM (attacker-in-the-middle) capabilities; its device code component appears to be an EvilTokens clone.
• SHAREFILE: A kit themed around Citrix ShareFile document transfers, using node-based backend endpoints to simulate file sharing and trigger device code flows.
• CLURE: A kit with rotating API endpoints and an anti-bot gate, featuring SharePoint-themed lures and infrastructure hosted on DigitalOcean.
• LINKID: A kit leveraging Cloudflare challenge pages and self-hosted APIs, deploying Microsoft Teams and Adobe-themed lures.
• AUTHOV: A workers.dev-hosted kit using popup-based device code entry and Adobe document-sharing lures.
• DOCUPOLL: A kit hosted on GitHub Pages and workers.dev mimicking DocuSign workflows, including injected replicas of real pages.
• FLOW_TOKEN: A workers.dev-hosted kit using Tencent Cloud infrastructure, with HR and DocuSign-themed lures and popup-based flows.
• PAPRIKA: An AWS S3–hosted kit featuring Microsoft login clone pages with Office 365 branding and a counterfeit Okta footer.
• DCSTATUS: A minimal kit with generic Microsoft 365 “Secure Access” lures and limited visible infrastructure markers.
• DOLCE: A Microsoft PowerApps-hosted kit with Dolce & Gabbana-themed lures, likely a limited-use or red-team-style implementation rather than a widely deployed option.

In addition to these, there are other platforms that contribute to the same problem space, and researchers point to a broader trend where different kits compete for attention and adoption. The proliferation of cloud hosting, anti-bot protections, and realistic SaaS-themed lures underscores how device code phishing has moved from a niche tactic to a mainstream tool in the attacker playbook. The growth pattern suggests that as long as the flow remains available and attackers can assemble convincing lures, the potential for widespread abuse will persist.

There is also visual and documentary evidence of how these campaigns operate. A video released by researchers demonstrates the DOCUPOLL kit in action: the attacker uses DocuSign branding and a lure involving a supposed contract, prompting the victim to sign into the Microsoft Office application. This kind of layered deception—blending legitimate-looking branding with urgent business-oriented scenarios—helps reduce suspicion and increases the likelihood that a victim will complete the authentication step, unintentionally granting access to the attacker.

Overall, the current landscape indicates that device code phishing is not a one-off anomaly but a sustained trend that could accelerate if left unchecked. The combination of accessible tooling, cloud-hosted infrastructure, and highly plausible lures means criminals can target a wide audience with minimal technical skill beyond basic social engineering. As researchers continue to monitor the space, they emphasize the importance of recognizing this tactic as a real threat to organizations relying on OAuth-based device authorization for IoT and edge devices, as well as for users who interact with shared and secure access portals in an everyday corporate context. The evolution of EvilTokens and the surrounding ecosystem demonstrates how quickly phishing techniques can adapt to new authentication flows and how critical it is for defenders to remain vigilant against this rising class of attacks.