In today's digital landscape, where cybersecurity threats evolve at an alarming pace, the latest warning from the Australian Signals Directorate (ASD) serves as a stark reminder of the ever-present dangers lurking in our online world. The ASD's advisory, focused on device code phishing targeting Microsoft 365 users, highlights a sophisticated and increasingly prevalent tactic employed by malicious actors. This form of phishing, designed to exploit the trust users have in legitimate login pages, is a worrying development that demands our attention and proactive measures.
The Rise of Device Code Phishing
Device code phishing is a clever manipulation of the OAuth 2.0 device authorization flow, tricking users into providing authentication tokens to attackers. What makes this particularly fascinating, and concerning, is the evolution of this technique over the past few years. Initially used by red teams and some threat actors since 2020, it has now become a common tool in the criminal toolkit, thanks in part to the public release of criminal toolkits and the rise of phishing-as-a-service (PhaaS) offerings.
The availability of these toolkits and services has democratized cybercrime, allowing even less technically skilled individuals to launch sophisticated attacks. Personally, I find it alarming how AI-generated code or prompts are being used to produce near-identical attack flows, blurring the lines between sophisticated and amateurish cyberattacks.
Targeting Microsoft and Beyond
While Microsoft accounts are the primary target, Google-themed campaigns are also on the rise, albeit at lower volumes. What many people don't realize is the potential for these attacks to spread rapidly through "account takeover jumping," where compromised accounts are used to phish the victim's contacts. This creates a snowball effect, amplifying the impact of the initial breach.
The initial lures, delivered via email in various formats, including QR codes, are designed to initiate the device authorization process. A key innovation driving the success of these attacks is on-demand code generation, ensuring the recipient can start the flow at their convenience, increasing the likelihood of successful compromise.
The PhaaS Ecosystem
The rise of phishing-as-a-service offerings, such as EvilTokens and Tycoon, has created a thriving ecosystem for device code phishing. These services package the technique for wider use, making it accessible to a broader range of threat actors. For instance, EvilTokens, first advertised on Telegram in February 2026, offers landing pages themed around popular brands, providing a familiar and trusted environment for potential victims.
What's even more concerning is the observation of multiple kits resembling EvilTokens, suggesting a rapid proliferation and adaptation of these tools. The question arises: Are these copies of an existing kit, or are AI tools being used to update and improve upon existing frameworks? It seems both dynamics are at play, creating a complex and dynamic threat landscape.
Shifting Tactics and Evolving Threats
The shift towards device code phishing by previously known adversary-in-the-middle (AiTM) phishing actors is a clear indicator of the adaptability and evolution of cyber threats. Following disruptions to infrastructure, such as the Tycoon 2FA incident in February 2026, threat actors are quick to pivot and adapt their tactics. This highlights the need for constant vigilance and proactive defense strategies.
Mitigating the Threat
For defenders, the challenge is to stay one step ahead of these evolving threats. Proofpoint recommends blocking device code flow where possible through Conditional Access policies, initially in report-only mode to assess the impact. Where blocking is not feasible, allow lists can be used to limit device code authentication to approved users, operating systems, or IP ranges.
Additionally, user awareness training is crucial. Traditional guidance focused on checking URLs is no longer sufficient. Users must be educated to recognize the potential threat of device code phishing, even when directed to trusted portals.
Conclusion
The ASD's warning and Proofpoint's research highlight the critical importance of staying informed and proactive in the face of evolving cyber threats. Device code phishing is a reminder that our digital defenses must constantly adapt to new tactics and techniques. As we navigate this complex landscape, a combination of technical mitigations and user education will be key to safeguarding our online world.
