Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Device Code Phishing Attacks: The Rise of a New Cyber Threat



Device code phishing attacks have surged more than 37 times this year, with researchers at Push Security warning that cybercriminals are widely adopting this technique. The kits and campaigns being tracked include EvilTokens, which has seen a significant surge in its use. As the threat landscape continues to evolve, it is essential for users to stay informed about the latest threats and take steps to protect themselves against device code phishing attacks.

  • Device code phishing attacks have surged over 37 times this year, according to Push Security researchers.
  • The technique was first documented in 2020, but malicious exploitation was recorded a few years later.
  • EvilTokens kit has seen a significant surge in its use, with a 15x increase in detected pages in March 2026.
  • Device code phishing attacks trick victims into entering codes on legitimate login pages to authorize the attacker's device.
  • The kits are often hosted on popular platforms like AWS S3, DigitalOcean, and GitHub Pages, making it easy for attackers to distribute their malware.
  • R researchers have identified several other phishing kits competing with EvilTokens in the market, including VENOM, SHAREFILE, CLURE, etc.
  • Users need to be vigilant in protecting themselves against device code phishing attacks and take steps such as disabling flow, monitoring logs, and setting conditional access policies.



    • device code phishing attacks have surged more than 37 times this year, according to researchers at Push Security. This type of attack exploits the OAuth 2.0 Device Authorization Grant flow to hijack accounts, with threat actors sending device authorization requests to service providers and receiving codes that are sent to victims under various pretexts.

    The device code phishing technique was first documented in 2020, but malicious exploitation was recorded a few years later. Researchers have observed a massive increase in the use of these attacks, warning that they have been widely adopted by cybercriminals. The kits and campaigns being tracked include EvilTokens, which has seen a significant surge in its use.

    "At the start of March (2026), we'd observed a 15x increase in device code phishing pages detected by our research team this year, with multiple kits and campaigns being tracked — with the kit now identified as EvilTokens the most prominent," said Push Security. "That figure has now risen to 37.5x."

    Device code phishing attacks work by tricking victims into entering codes on legitimate login pages, authorizing the attacker's device to access accounts through valid access and refresh tokens. This flow was designed to simplify connecting devices that do not have accessible input options, such as IoT devices, printers, streaming devices, and smart TVs.

    The rise of device code phishing attacks has been attributed to the widespread adoption of cloud platforms by cybercriminals. These kits are often hosted on popular platforms like AWS S3, DigitalOcean, and GitHub Pages, making it easy for attackers to distribute their malware.

    Researchers have identified several other phishing kits that are competing with EvilTokens in the market. These include VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE. Each of these kits offers different types of attacks, including device code phishing, AI-powered malware, and pop-up-based flows.

    The surge in device code phishing attacks has raised concerns among cybersecurity experts, who are warning that users need to be vigilant in protecting themselves against this type of attack. Push Security suggests that users disable the flow when not needed by setting conditional access policies on their accounts. Additionally, monitoring logs for unexpected device code authentication events, unusual IP addresses, and sessions can help prevent these types of attacks.

    The rise of device code phishing attacks highlights the evolving nature of cyber threats. As cloud platforms continue to grow in popularity, attackers are finding new ways to exploit them for malicious purposes. It is essential for users to stay informed about the latest threats and take steps to protect themselves against them.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Device-Code-Phishing-Attacks-The-Rise-of-a-New-Cyber-Threat-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online/

  • https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

  • https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html

  • https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/

  • https://dailysecurityreview.com/phishing/eviltokens-kit-uses-device-code-phishing-to-target-microsoft-accounts/

  • https://www.malwarebytes.com/blog/threat-intel/2026/03/bogus-avast-website-fakes-virus-scan-installs-venom-stealer-instead

  • https://cyberpress.org/venom-stealer-steals-data/

  • https://www.bleepingcomputer.com/news/security/new-progress-sharefile-flaws-can-be-chained-in-pre-auth-rce-attacks/

  • https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26.html

  • https://consumer.ftc.gov/articles/malware-how-protect-against-detect-and-remove-it

  • https://www.malwarebytes.com/malware

  • https://www.microsoft.com/en-us/wdsi/filesubmission

  • https://www.bleepingcomputer.com/news/security/linkedin-secretely-scans-for-6-000-plus-chrome-extensions-collects-data/

  • https://www.virustotal.com/

  • https://www.linkedin.com/posts/e-bits_cybersecurity-techtips-activity-7440566847789408256-uxQL

  • https://clickcontrol.com/cyber-defense/fbi-alert-beware-of-malicious-document-converters-spreading-ransomware/

  • https://flow.com/post/flow-token-burn-summary

  • https://www.herdprotect.com/paprika.exe-06fc056ed48136cb03cd286796239273fd18da4b.aspx

  • https://www.cisa.gov/topics/cyber-threats-and-advisories/malware-phishing-and-ransomware

  • https://www.fbi.gov/investigate/cyber/alerts

  • https://malwarewerewolf.com/

  • https://github.com/MalwareWerewolf

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign

  • https://breach-hq.com/threat-actors

  • https://cloud.google.com/security/resources/insights/apt-groups

  • https://www.binance.com/en/square/post/12-31-2025-flow-34453106132418

  • https://www.cybersecurity-insiders.com/apt-iran-hackers-steal-over-375tb-of-data-from-lockheed-martine/

  • https://www.cybersecuritydive.com/news/iran-actors-claims-cyber-threat-us-allies/816228/

  • https://attack.mitre.org/groups/


    • Published: Sat Apr 4 10:13:34 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us