- Today
- Holidays
- Birthdays
- Reminders
- Cities
- Atlanta
- Austin
- Baltimore
- Berwyn
- Beverly Hills
- Birmingham
- Boston
- Brooklyn
- Buffalo
- Charlotte
- Chicago
- Cincinnati
- Cleveland
- Columbus
- Dallas
- Denver
- Detroit
- Fort Worth
- Houston
- Indianapolis
- Knoxville
- Las Vegas
- Los Angeles
- Louisville
- Madison
- Memphis
- Miami
- Milwaukee
- Minneapolis
- Nashville
- New Orleans
- New York
- Omaha
- Orlando
- Philadelphia
- Phoenix
- Pittsburgh
- Portland
- Raleigh
- Richmond
- Rutherford
- Sacramento
- Salt Lake City
- San Antonio
- San Diego
- San Francisco
- San Jose
- Seattle
- Tampa
- Tucson
- Washington
Union Today
By the People, for the People
Device Code Phishing Attacks Surge 37x, Exposing Growing Cybersecurity Threat
Sophisticated phishing kits democratize device code attacks, putting organizations and users at risk
Apr. 12, 2026 at 5:53am
Got story updates? Submit your updates here. ›
As device code phishing attacks surge, the digital infrastructure powering our connected world becomes a battleground for cybersecurity.Union TodayThe rise of device code phishing attacks has led to a staggering 37.5x increase in detected phishing pages, according to security researchers. These attacks exploit the OAuth 2.0 Device Authorization Grant flow to trick victims into entering authorization codes, providing threat actors access to sensitive accounts. The proliferation of phishing kits like EvilTokens, VENOM, and SHAREFILE has made these attacks more accessible to low-skilled cybercriminals, posing a growing challenge for organizations and individuals to mitigate.
Why it matters
Device code phishing attacks represent a significant and evolving cybersecurity threat, as they can compromise individual accounts as well as contribute to broader data breaches and financial losses. The use of realistic SaaS-themed lures and anti-bot protections makes these attacks particularly difficult to detect and prevent, underscoring the need for enhanced security measures.
The details
Threat actors have been exploiting the OAuth 2.0 Device Authorization Grant flow to carry out device code phishing attacks. They send device authorization requests, receive codes, and trick victims into entering them on legitimate login pages. The surge in attacks can be attributed to the availability of phishing kits like EvilTokens, which democratize these techniques and make them accessible to low-skilled cybercriminals. Other prominent kits include VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE, each with unique features and targeting different SaaS platforms.
- In March 2026, the number of device code phishing pages detected increased by 15x.
- By April 2026, the surge in attacks had reached a staggering 37.5x increase.
The players
EvilTokens
A prominent phishing kit that has democratized device code phishing attacks, making them accessible to low-skilled cybercriminals.
Push Security
A security research firm that has documented the alarming rise in device code phishing attacks, from a 15x increase in March 2026 to a 37.5x increase by April 2026.
What’s next
Users are advised to disable the OAuth 2.0 Device Authorization Grant flow when not required and set conditional access policies on their accounts. Monitoring logs for unusual activities, such as unexpected device code authentications, IP addresses, and sessions, is crucial for early detection.
The takeaway
The surge in device code phishing attacks underscores the need for a multi-layered security approach. Organizations and individuals must stay vigilant, adopt best practices, and leverage advanced security tools to mitigate the impact of these evolving cyber threats.
