Device code phishing surges across criminal toolkits

Proofpoint has reported a sharp rise in device code phishing campaigns, saying the technique is spreading through criminal toolkits and phishing-as-a-service offerings.

The method abuses a legitimate device authorisation process to gain access to enterprise accounts, most often on Microsoft 365. Attackers send a link, document or QR code that leads the user through a flow that ends with them entering a code on Microsoft's real device login page, allowing the attacker to capture authentication tokens.

Researchers said the increase marks a shift away from older credential theft tactics as criminals look for ways around stronger defences against conventional phishing and multifactor authentication theft. Although the approach has existed for several years, it has moved from a niche tactic used by a small number of actors into a broader criminal market.

A key change has made the attacks easier to run at scale. Earlier versions relied on a pre-generated code that expired within minutes, meaning the victim had to act quickly for the attack to succeed. Newer versions generate the code only when the target clicks the phishing link, removing that limit and giving attackers a much wider window.

These attack chains are now available both as paid services and as bespoke kits operated by threat actors themselves. Among the most visible offerings is EvilTokens, which researchers described as one of the leading device code phishing services currently in circulation.

First advertised on Telegram, the service offers landing pages themed around brands including Microsoft, Adobe and DocuSign. It can generate much of the attack chain, from the lure to the hosting infrastructure, and also includes a tool called Portal Browser to help affiliates access and manage multiple compromised Microsoft 365 accounts.

Many emerging kits appear visually and technically similar to EvilTokens, with only minor differences in application programming interfaces and HTML headers, researchers said. In one 10-day period in April, they observed about seven distinct variants that looked almost identical.

That has raised questions over whether criminal groups are copying the same publicly known tools, buying access to the same service, or using generative artificial intelligence prompts to produce near-matching versions independently. Proofpoint said both may be happening at once.

Campaign shift

One actor tracked as TA4903 has moved heavily into device code phishing, according to the research. The group, previously associated with business email compromise activity and impersonation of small businesses and government bodies, began using the method in March and now appears to rely on it almost exclusively.

In one campaign, the actor posed as a human resources contact and sent salary notification emails with PDF attachments. The files contained QR codes that redirected users through Cloudflare Workers infrastructure to a filtering page, then to a fake DocuSign- and Microsoft-themed login page carrying a signing code.

If the victim entered the code into the legitimate Microsoft authentication portal, the actor's token would be validated, leading to access to the target's Microsoft 365 account. Researchers said the group's kit closely resembled EvilTokens, although the code generation service was hosted on infrastructure controlled by the attacker.

Researchers also noted poor tradecraft in some campaigns. In several cases, actors sent emails with blank bodies and relied only on attached PDFs and QR codes to push recipients into the attack chain. That suggested either careless automation or weak social engineering.

The campaigns were not confined to English-speaking targets. Proofpoint said it had seen the technique used in multiple languages against organisations around the world.

From AiTM

There is also evidence that actors behind adversary-in-the-middle phishing are moving into device code operations. After disruption to parts of its infrastructure, Tycoon 2FA began offering device code phishing as part of its service, while ODx, another popular phishing kit also tracked as Storm-1167 and FlowerStorm, has also been observed using device code functions.

In some cases, traces of earlier AiTM campaigns remain visible. Researchers found one campaign in which a PDF lure linked to a device code phishing page but still contained inactive metadata associated with Tycoon from an earlier operation. That suggests some actors are reusing old materials while shifting to the newer method.

Proofpoint compared the spread of device code phishing with the rise of ClickFix, a social engineering method that quickly moved from niche use to broad adoption across cybercrime and espionage campaigns. In both cases, researchers said, a small number of actors found an effective technique and others rapidly followed.

The attacks can lead to full account takeover, theft of sensitive information, fraud, business email compromise, lateral movement within a network and ransomware incidents. The strongest defence, Proofpoint said, is to block device code flow through conditional access policies where possible, or limit it to approved users, devices or locations.

User awareness also remains important because the scam relies on persuading people to enter a code into a trusted Microsoft page rather than a fake login site. Staff training should warn users not to enter device codes received from untrusted sources.