Device Code Phishing: 37x Spike, 18 Kits, Every Major PhaaS Platform Shipping It — The MFA Bypass That Survives Password Resets Is Now a Criminal Commodity
Sources: Push Security primary research (Luke Jennings, VP R&D) · Proofpoint Threat Research Team (Selena Larson, Jake Gionet, Sarah Sabotka) · Bleeping Computer · Guardz · Sekoia · Microsoft Security Blog · TechJack Solutions Intel · Proofpoint · FBI Advisory (Kali365) · Arctic Wolf | Detection spike: 37.5x year-over-year (Push Security) | Kits in circulation: 18+ identified | Primary target: Microsoft 365, Entra ID, Teams, SharePoint | MFA bypass: All legacy MFA methods — TOTP, push, SMS — remain bypassable | Most prevalent kit: EvilTokens (launched Feb 2026, AI-generated, Telegram-distributed) | Previously associated with: Russian state-linked campaigns (Storm-2372) — now fully criminal commodity
18 months ago it was a Russian espionage technique. Today it’s in 18 kits and your Conditional Access policy doesn’t block it by default.
At the start of 2026, device code phishing was a niche technique documented primarily in the context of Russian state-linked threat actors — Storm-2372 and related clusters — conducting targeted espionage operations against strategic intelligence targets. It required technical sophistication to execute, had minimal tooling available, and was rarely seen in criminal campaigns. Eighteen months later, the picture looks entirely different.
Push Security’s research team, which has been tracking device code phishing since its emergence in their telemetry data, published an updated analysis on June 25 reporting a 37.5x increase in device code phishing page detections compared to the same period last year. At least 18 distinct kits are now in circulation. Every major adversary-in-the-middle (AiTM) phishing-as-a-service platform has added device code phishing capabilities. The FBI issued an advisory on Kali365, one of the PhaaS platforms now offering device code attacks at commodity pricing. And the technique’s most prominent kit, EvilTokens, was built using AI “vibe coding” techniques, advertised on Telegram in February 2026, and has since been cloned and forked so many times that Proofpoint researchers observed approximately seven unique variants that looked nearly identical in a single 10-day window in April 2026.
The reason this matters in a way that ordinary phishing statistics do not is what device code phishing does that standard credential phishing cannot: it bypasses every legacy MFA method — TOTP authenticator apps, push notifications, SMS codes, phone call verification — and delivers OAuth access tokens that survive password resets and credential rotation. An organization that has achieved 100% MFA enrollment and believes it is protected from credential phishing is not protected from device code phishing. The token issued to the attacker remains valid regardless of what the victim or their IT team does to the underlying password or MFA configuration.
| Field | Detail |
|---|---|
| Detection spike | 37.5x year-over-year (Push Security — updated June 25, 2026) |
| Kits in active circulation | 18+ identified (Push Security) — up from 0 documented criminal kits in early 2025 |
| Primary target platforms | Microsoft 365 · Entra ID · Teams · SharePoint · OneDrive |
| MFA methods bypassed | All legacy MFA: TOTP, push notifications, SMS, phone call |
| MFA methods NOT bypassed | FIDO2/passkeys · Certificate-based authentication (phishing-resistant only) |
| Stolen artifact | OAuth access token + refresh token — survives password resets, credential rotation |
| Most prevalent kit | EvilTokens — launched Feb 2026, AI vibe-coded, Telegram-distributed, AI-powered post-compromise BEC automation |
| Other major kits | VENOM (AiTM + device code) · Tycoon2FA (added device code post-Feb disruption) · ODx/FlowerStorm/Storm-1167 · Kali365 (FBI advisory) · Bluekit · SHAREFILE |
| Price point (EvilTokens) | Comparable to commodity AiTM kits — widely accessible to low-skilled operators |
| Previous threat actor profile | Russian state-linked — Storm-2372, Midnight Blizzard — espionage operations only |
| Current threat actor profile | Fully criminal commodity — any operator with a Telegram account and kit subscription |
| Notable criminal campaigns | Scattered Lapsus$ Hunters Salesforce campaign — 1000+ organizations compromised, 1.5B records claimed |
| PhaaS market share | 85–90% of high-volume phishing campaigns now rely on PhaaS infrastructure (Guardz) |
| AI integration | EvilTokens uses LLMs to generate personalized follow-up BEC emails and perform mailbox triage post-compromise |
| Conditional Access blocks it by default | No — device code flow is a legitimate OAuth 2.0 protocol; must be explicitly blocked |
What device code phishing is — and why it defeats MFA entirely
Device code phishing abuses the OAuth 2.0 Device Authorization Grant flow — a legitimate authentication mechanism designed for devices that cannot display a full browser interface, such as smart TVs, gaming consoles, and IoT devices. In the legitimate flow, a device displays a short code and a URL, the user visits the URL on another device (typically their phone or laptop), enters the code, and authenticates. The original device then receives an OAuth access token.
In the attack flow, the attacker initiates the device code request themselves rather than on behalf of a device. They receive the device code and the authentication URL from Microsoft (or whatever identity provider is targeted). They then send that code and URL to the victim under a social engineering pretext — an email claiming the victim needs to authorize a shared document, verify their account, or log in to a collaboration tool. The victim visits the legitimate Microsoft login page (not a fake phishing site), authenticates normally, completes their MFA challenge, and enters the device code. They have just authenticated the attacker’s session. The attacker now holds a valid OAuth access token and refresh token for the victim’s account.
Three specific characteristics make this attack class fundamentally different from standard credential phishing:
- MFA is completed by the victim against a legitimate Microsoft page. There is no fake login page for anti-phishing filters to detect. The victim genuinely authenticates to Microsoft and genuinely completes their MFA challenge. The attack succeeds because of where the resulting token goes — to the attacker — not because MFA was circumvented in the traditional sense.
- The stolen token survives password resets and MFA reconfiguration. Once the attacker has a valid refresh token, changing the victim’s password does not invalidate it. Resetting MFA does not invalidate it. The organization’s standard incident response playbook — reset credentials, force re-authentication — does not revoke attacker access. The token must be explicitly revoked through Microsoft Entra ID’s token revocation capabilities.
- The device code expires in 15 minutes, creating urgency. Attackers typically send messages with a deadline framing — “your access will expire,” “verify within 15 minutes” — that maps exactly to the legitimate 15-minute window. This urgency is built into the protocol itself, making it a natural social engineering amplifier.
EvilTokens and the commoditization engine
EvilTokens is the kit most directly responsible for the commoditization of device code phishing and the 37.5x detection spike. Launched in February 2026 via a Telegram channel advertisement, EvilTokens provides a complete device code phishing platform to criminal operators at commodity pricing — comparable to the subscription costs of established AiTM kits like Tycoon2FA.
EvilTokens has several characteristics that distinguish it from earlier, cruder device code phishing implementations:
- AI-generated and AI-maintained. Proofpoint assesses EvilTokens was created and is maintained using AI “vibe coding” generation techniques — an AI model was used to generate the attack infrastructure code. This has two implications: the barrier to creating new kits has collapsed (anyone with access to an LLM can generate functionally similar code), and the proliferation of near-identical but technically distinct variants makes attribution and takedown more complex.
- Anti-bot protection. EvilTokens uses multiple redirects through trusted sites before serving the malicious device code entry page, combined with bot-detection logic that blocks security tooling from analyzing the page. Standard anti-phishing crawlers cannot reach the malicious payload — the anti-bot layer serves benign content to scanners.
- Pop-up window UX. Rather than redirecting victims to a separate page for device code entry, EvilTokens uses a pop-up window overlay. This reduces friction, looks convincing, and increases conversion rates — a PhaaS design optimization borrowed directly from the consumer SaaS industry.
- Automated post-compromise BEC. EvilTokens integrates an LLM (including uncensored Llama-based models) that generates personalized follow-up emails to the victim’s contacts and performs automated mailbox triage to identify high-value BEC fraud targets. The kit doesn’t just steal the token — it automates the monetization pipeline.
- Portal Browser. EvilTokens affiliates can pay for a “Portal Browser” module that enables centralized management of multiple compromised Microsoft 365 accounts simultaneously — a full account management dashboard for compromised identities.
The EvilTokens ecosystem has already spawned extensive imitation. Guardz’s analysis notes that in one 10-day window in April 2026, researchers observed approximately seven unique variants that looked nearly identical to EvilTokens but used different API endpoints and HTML headers. Whether these are independent forks, AI-generated derivatives, or licensed resells is unclear — but the proliferation pattern mirrors every previous PhaaS maturation cycle, where a dominant kit spawns a derivative ecosystem that survives takedowns of the original.
The major kits and campaigns active today
Storm-2372 — The Russian state-linked origin campaign
The technique’s mainstream visibility traces to Storm-2372, tracked by Microsoft and Volexity as a Russian state-linked cluster that combined spear-phishing and social engineering with device code phishing payloads against strategic intelligence targets. Storm-2372 was the demonstration that device code phishing worked at operational scale against hardened targets — its success is precisely what drove criminal operators to adopt the technique.
Scattered Lapsus$ Hunters — 1,000+ Organizations, 1.5 Billion Records
The largest confirmed criminal device code phishing campaign to date combined vishing (voice phishing) with a device code phishing payload targeting Salesforce. The campaign morphed into a broader supply chain compromise using stolen credentials, ultimately resulting in more than 1,000 organizations compromised and over 1.5 billion stolen records claimed by the operators.
Tycoon2FA — AiTM market leader adds device code
Following a major law enforcement disruption of its AiTM infrastructure in February 2026, Tycoon2FA’s operator began selling device code phishing as part of its platform offerings. Proofpoint notes that Tycoon2FA’s device code landing page looks visually similar to EvilTokens — suggesting either shared tooling, copied code, or parallel AI generation from similar prompts. Tycoon2FA had previously reached over 500,000 organizations monthly before the disruption — its pivot to device code phishing represents the technique gaining the distribution channel of the previously dominant AiTM platform.
Kali365 — FBI Advisory, Microsoft 365 Focus
The FBI issued a public service announcement in June 2026 warning about Kali365, a PhaaS platform specifically targeting Microsoft 365 accounts via OAuth device code authentication abuse to steal session tokens and bypass MFA. The FBI advisory’s publication is itself a signal of operational scale — FBI PSAs are issued when a platform has reached the activity level that warrants broad defender awareness.
ODx / FlowerStorm / Storm-1167 — Device Code Added to Established AiTM
ODx, one of the most popular AiTM kits currently in operation (tracked as FlowerStorm and Storm-1167), has added device code phishing to its existing AiTM capabilities. This pattern — established AiTM platforms adding device code as a feature — is what Push Security’s Luke Jennings describes as “every PhaaS vendor in the AiTM space” adopting the technique. It is no longer a niche capability in a specialized kit. It is a standard feature in every major criminal authentication-attack platform.
Why your current defenses are insufficient — and what actually works
What doesn’t work against device code phishing
- Authenticator app (TOTP) — does not help. The victim completes TOTP as part of their normal authentication to Microsoft. The attack succeeds anyway because MFA completion is what issues the token the attacker captures.
- Microsoft Authenticator push notifications — does not help. Same reason — the victim approves the push notification during a legitimate Microsoft auth session.
- SMS MFA — does not help. Same.
- Password reset after compromise — does not revoke attacker access. The stolen refresh token remains valid. Explicitly revoke all tokens via Microsoft Entra ID’s
Revoke-AzureADUserAllRefreshTokencommand or the Entra portal. - Anti-phishing email filters — partially effective. EvilTokens and similar kits use anti-bot protection and redirects through trusted domains (SharePoint, OneDrive, OneDrive links) to avoid URL reputation filtering. The device code entry URL is the legitimate
microsoft.com/devicelogin— flagging that as malicious produces false positives. - Security awareness training — insufficient alone. Victims are completing a genuine Microsoft authentication flow on a genuine Microsoft URL. The attack specifically avoids the visual indicators of phishing that training teaches users to recognize.
What actually works
- Block device code authentication flow entirely via Conditional Access. If your organization does not use shared devices (smart TVs, kiosks, printers, IoT) that require device code auth, create a Conditional Access policy that blocks the device code grant type. This eliminates the attack surface completely.
Conditional Access → New Policy → Users: All → Cloud apps: All → Conditions: Authentication flows → Device code flow: Block - If device code auth is operationally required, restrict it to Compliant Devices only. Require that device code authentication only succeeds from Intune-managed, compliant devices. This blocks attacker-initiated device code requests from unmanaged sessions.
- Migrate to phishing-resistant MFA. FIDO2 security keys and passkeys, and certificate-based authentication (CBA), are genuinely resistant to device code phishing because the authentication is bound to the specific origin — a device code phishing flow on a different origin cannot complete FIDO2 authentication. TOTP and push are not phishing-resistant. They are phishing-better-than-nothing.
- Set short token lifetimes and aggressive refresh token revocation. Reduce access token lifetime and refresh token lifetime in Entra ID to limit the window an attacker holds a stolen token. Configure Continuous Access Evaluation (CAE) so that token revocation propagates in near-real-time.
- Monitor for device code authentication events from unexpected user agents and locations. Legitimate device code flow comes from known managed device user agents. A device code auth event from a browser user agent, a residential IP, or a geographic location inconsistent with the user is a signal worth alerting on.
- Revoke all tokens on any suspected device code compromise. Password reset alone is not remediation. Use
Revoke-MgUserSignInSession(Microsoft Graph PowerShell) or the Entra portal to revoke all active sessions and tokens for a compromised user.
The structural shift: PhaaS is now the attack industry’s primary delivery mechanism
Device code phishing’s 37.5x growth is not an isolated event. It is one data point in a broader structural transformation of the criminal threat landscape that Guardz’s research describes as “PhaaS democratization” — the same transition that happened in ransomware when RaaS emerged, now happening to phishing and identity attacks simultaneously.
Guardz documents that 85–90% of high-volume phishing campaigns now rely on PhaaS infrastructure. The PhaaS market has matured to the point where specialist roles mirror legitimate software companies: core platform developers build and maintain the kit, affiliates and resellers distribute it, access brokers monetize the stolen credentials, and campaign operators run the actual attack flows. Each role specializes in its phase of the kill chain. The result is a criminal supply chain that can iterate faster than most enterprise security vendors respond, at cost structures that allow low-skilled operators to execute what were previously APT-grade attacks.
The specific acceleration vector for device code phishing within this ecosystem is AI-assisted kit development. EvilTokens was built with AI tools. Its derivatives were built with AI tools. In one 10-day window, seven nearly-identical variants appeared. The friction of creating a new phishing kit — previously weeks of development work by a skilled developer — has collapsed to hours of AI-assisted iteration. This is the same dynamic DataWater has documented in the vulnerability research context with Squidbleed, the FFmpeg AI zero-day discovery, and the White House AI EO: AI is simultaneously accelerating both offensive and defensive capability, and the offensive adoption curve is currently running ahead of the defensive one.
Related DataWater Coverage
- → Cordyceps: CI/CD Supply Chain — The Same PhaaS-Style Attack Industrialization Hitting Developer Infrastructure
- → Squidbleed (CVE-2026-47729) — AI-Assisted Vulnerability Discovery on the Defensive Side of the Same AI Dynamic
- → White House AI Executive Order — The Policy Context for AI Accelerating Both Attack and Defense Simultaneously
- → FortiBleed — Credential Abuse at Scale: The Downstream Target of Stolen OAuth Tokens
- → UNC6508: Nation-State Espionage — The APT Techniques That Device Code Phishing Has Now Made Available to Criminal Operators
- → Verizon DBIR 2026 — Credential Abuse as the #1 Breach Pattern Device Code Phishing Is Scaling
- → Advanced Persistent Threats — Building Identity-First Defense Stacks That Actually Resist Token Theft
- → Browse the full DataWater threat archive →
Sources and further reading
- Push Security — Device Code Phishing in 2026: 18 Kits, 37x Detections (Primary Research, Luke Jennings VP R&D)
- Proofpoint — Device Code Phishing is an Evolution in Identity Takeover (Selena Larson, Jake Gionet, Sarah Sabotka)
- Bleeping Computer — Device Code Phishing Attacks Surge 37x as New Kits Spread Online
- Guardz — PhaaS Democratization Empowers Mass Cloud Compromise
- Microsoft Security Blog — Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale
- FBI — Public Service Announcement: Kali365 PhaaS Platform Targeting Microsoft 365 via Device Code Auth
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #35 — June 29, 2026. Previous: CVE-2026-46331 pedit COW Linux Kernel LPE (June 28) · Cordyceps CI/CD Supply Chain (June 25) · Squidbleed CVE-2026-47729 (June 23). Browse the full threat brief archive →
