Threat Spotlight: Device code phishing is on the rise with 7 million attacks in four weeks

The EvilTokens phishing kit is driving the surge, targeting Microsoft 365 and Entra ID environments

Key takeaways

• The EvilTokens phishing kit tricks users into signing into Microsoft through the abuse of device codes.
• Device code phishing has advantages over traditional credential phishing in stealth, persistence and evasion.
• In the last four weeks, Barracuda has detected more than 7 million device code attacks.
• Layered security controls, advanced email filtering, identity protection mechanisms, and continuous monitoring reduce exposure.

Device code authentication is an OAuth 2.0 login method that lets users sign in on one device by entering a short code on another, trusted device. This is ideal for devices with limited interfaces, such as TVs, printers or command line interface (CLI) tools. Device code phishing attacks exploit this process to gain persistent, authorized access to Microsoft services.

Over the last month, Barracuda’s threat analysts have detected more than 7 million device code phishing attacks, largely powered by the recently reported EvilTokens phishing kit. Barracuda has also seen other attackers leveraging the approach together with Tycoon 2FA capabilities. It is likely that other phishing kits will follow.

The attack approach is as follows: The attackers request a real device code from Microsoft and then send victims a phishing lure that persuades them to enter the code into a legitimate login page, such as ‘microsoft.com/devicelogin.’ The victim completes the authentication, and Microsoft issues the OAuth access and refresh token, which passes straight to the attacker.

What’s the appeal of device code phishing?

Device code phishing has several advantages over traditional credential phishing with fake login pages — particularly in terms of stealth, persistence and evasion. 

• It relies on legitimate links — no suspicious URLs: Traditional phishing needs a convincing fake website, which can be easy for email filters to spot. Device code phishing uses official authentication URLs, making it difficult to identify malicious activity.
• It bypasses multifactor authentication and any conditional access policies: Because the victim authorizes the new device themselves, the attacker gains a valid access token that passes these security checks.
• Persistent, long-term access: Once the victim enters the code, the attacker receives a refresh token that allows them to maintain access to the user’s account for days or weeks, even if the user changes their password.
• It takes advantage of user trust and familiarity: People are used to entering a 6 to 8 character code to link their devices.
• Stealthier lateral movement: The attacker hijacks the session without raising any alarm.

In this article we examine the flow of a real-world device code phishing attack seen by Barracuda’s threat analysts.

The attack flow

Initial access:

The attack begins with the attacker taking control of an existing email conversation thread. Within this trusted context, the attacker sends a message saying that an ACH payment has been issued and needs to be reviewed.

Delivery chain and redirection:

The message contains a link prompting the victim to view the document.

When the victim clicks the link:

1.  They are first redirected to a document hosted on the trusted platform app.box.com.

2.       From there, they are redirected to a phishing page.

This multistep redirection chain helps to ensure the content looks legitimate, reducing suspicion.

After the second redirection, the victim is presented with a page that does not immediately reveal its functionality. Instead, the page dynamically loads its content through encrypted JavaScript.

Technical stages involved in this part of the attack:

1. Encrypted loader page

The phishing page initially presented to the victim does not contain visible content. Instead, it includes a JavaScript-based loader that decrypts a hidden payload.

2. Session initialization

After the decrypted page loads, a request is made to a backend endpoint.

The server responds with the following JSON.

This response provides:

• A session identifier
• A verification code
• A URL for authentication
• A validity period of 900 seconds, which is 15 minutes

3. User is redirected to the authentication page

The victim is asked to authenticate using the provided verification URL.

4. Code submission

When the victim enters the verification code and clicks ‘Next,’ they are asked to enter their email address and password on a legitimate Microsoft authentication page. This action links and authorizes the attackers’ device.

5. Session tracking (polling)

Barracuda threat analysts noticed that the session identifier was being used for repeated network requests during the authentication process, indicating that the session is active while the authentication is in progress.

Conclusion

Device code phishing is a subtle yet increasingly effective approach that leverages legitimate authentication workflows for unauthorized access.

By combining trusted communication channels, multistep redirection and encrypted client-side logic, attackers can guide victims through a process that appears entirely normal but leaves them compromised.

When this method is operationalized as part of a PhaaS model such as EvilTokens, it becomes even more dangerous and scalable.

Layered security controls, including advanced email filtering, identity protection mechanisms and continuous monitoring can significantly limit exposure. Additionally, enforcing strict controls around device authorization flows and raising awareness about entering verification codes only in trusted contexts can help prevent such attacks from succeeding.