Device code phishing attacks abusing the OAuth 2.0 Device Authorization Grant have surged over 37x this year, enabling attackers to obtain valid access and refresh tokens by tricking victims into entering device codes on legitimate login pages. Phishing-as-a-service kits—most notably EvilTokens—have democratized the technique with realistic SaaS-themed lures and cloud-hosted infrastructure, prompting recommendations to disable the flow when not needed and to monitor logs for unusual device code events. #EvilTokens #Microsoft365
Keypoints
- Attackers abuse the OAuth 2.0 Device Authorization Grant to hijack accounts via device codes.
- Threat actors request a device code from a service, then trick victims into entering that code.
- Entering the code on a legitimate page issues access and refresh tokens that grant persistent access.
- EvilTokens and at least 10 other phishing kits use SaaS-themed lures, anti-bot measures, and cloud hosting to scale attacks.
- Mitigations include disabling the device flow when unnecessary via conditional access and monitoring logs for unexpected device code events and IPs.