Threats Tagged 'device code phishing'
View all threats tagged with 'device code phishing'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'device code phishing'
Click on any threat for detailed analysis and mitigation recommendations
Device Code Phishing is an Evolution in Identity Takeover 0 Device code phishing attacks have exploded across the threat landscape, with new toolkits emerging weekly. This surge coincides with publicly released criminal toolkits and multiple phishing-as-a-service offerings like EvilTokens and Tycoon. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 and other enterprise accounts by tricking users into authorizing malicious applications. Current implementations use on-demand code generation, addressing the 15-minute expiration limitation of previous techniques. Most activity appears to be generated using AI-based coding techniques. Successful attacks lead to full account takeover, data theft, business email compromise, and potential ransomware deployment. The technique represents the natural evolution of credential phishing as organizations improve their defenses against traditional multifactor authentication bypass methods. Join the discussion | AlienVault OTX General | 05/14/2026, 11:16:24 UTC Added: 05/14/2026, 18:21:37 UTC |
Token Bingo: Don't Let Your Code be the Winner 0 In early April 2026, a large-scale device code phishing campaign targeted organizations across multiple sectors and regions, exploiting OAuth 2.0 Device Authorization Grant. Threat actors leveraged the Kali365 phishing-as-a-service platform, originating primarily from IP address 216.203.20[.]95. The campaign used high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-controlled sessions. Captured OAuth tokens enabled immediate mailbox access and post-compromise activities. In some cases, attackers established malicious inbox rules to suppress security notifications, extending dwell time. The Kali365 platform operates as a multi-tenant PhaaS ecosystem supporting both device code abuse and adversary-in-the-middle session capture, featuring rapid lure generation across multiple languages and file types, Cloudflare Worker-hosted pages, and token sharing capabilities between affiliates. Join the discussion | AlienVault OTX General | 04/25/2026, 13:35:30 UTC Added: 04/27/2026, 08:30:05 UTC |
New widespread EvilTokens kit: device code phishing as-a-service 0 EvilTokens is a new Phishing-as-a-Service offering a turnkey Microsoft device code phishing kit. It enables attackers to harvest access and refresh tokens, granting unauthorized access to victims' Microsoft accounts. The kit supports post-compromise operations, allowing data exfiltration from various Microsoft services. EvilTokens has been rapidly adopted by cybercriminals since March 2026, impacting organizations globally. The service provides advanced capabilities for account takeover, including token conversion to Primary Refresh Tokens and browser cookies for persistent access. Phishing campaigns using EvilTokens target employees in finance, HR, logistics, and sales, primarily for Business Email Compromise attacks. MediumCampaign Join the discussion United States United Kingdom Canada+8#device code phishing#token harvesting#microsoft 365 | AlienVault OTX General | 03/31/2026, 16:14:29 UTC Added: 03/31/2026, 18:38:16 UTC |
Showing 1 to 3 of 3 results