The phishing kit that doesn't need your password — because it asks for something far more dangerous: your trust.

In April 2026, Barracuda's threat analysts detected over 7 million device code phishing attacks in just four weeks. The culprit? A phishing-as-a-service kit called EvilTokens that weaponizes a legitimate Microsoft authentication feature against its own users. Here's how attackers turned a convenience protocol into an MFA-bypassing nightmare — and what you need to know to defend against it.

What Is Device Code Authentication?

Device code authentication is an OAuth 2.0 flow designed for devices that can't easily display a login screen — think smart TVs, printers, or command-line tools. The process is simple:

  1. The device displays a short alphanumeric code
  2. You visit microsoft.com/devicelogin on your phone or computer
  3. You enter the code and authenticate
  4. The original device is now logged in

It's convenient, it's secure by design, and it's now being exploited at scale.

How EvilTokens Weaponizes Trust

Traditional phishing relies on fake login pages that steal credentials. EvilTokens doesn't need your password at all. Instead, it:

  1. Requests a real device code from Microsoft's identity platform using a background script
  2. Sends a phishing lure — often a document access request, e-signature prompt, or voicemail notification — from a compromised legitimate account or domain
  3. Directs the victim to a browser-in-the-browser page that looks like a legitimate document preview, complete with a "Verify Identity" button and the live device code
  4. Auto-copies the code to the victim's clipboard in some variants, making the attack feel seamless
  5. Waits for the victim to paste the code into the real microsoft.com/devicelogin page and authenticate

Once the victim completes the authentication, Microsoft issues OAuth access and refresh tokens — directly to the attacker. The victim never entered their credentials on a fake site. They simply approved a login they didn't know wasn't theirs.

Why Device Code Phishing Is Worse Than Traditional Phishing

EvilTokens exploits several structural advantages over conventional credential theft:

  • No suspicious URLs: Victims visit legitimate Microsoft login pages. Email filters and URL reputation systems see nothing wrong.
  • MFA bypassed automatically: Because the victim authorizes the session themselves, multi-factor authentication and conditional access policies are satisfied.
  • Persistent access: Attackers receive refresh tokens that maintain account access for days or weeks, even if the victim changes their password.
  • Stealthy lateral movement: The attacker operates with a legitimate, authenticated session — indistinguishable from the real user.
  • User familiarity: People are already conditioned to enter device codes to link TVs, printers, and work applications. The interaction feels normal.

The Scale: From Niche to Nightmare

Device code phishing isn't new — Microsoft reported AI-enabled campaigns exploiting it as early as April 6, 2026. But EvilTokens marks a turning point. By packaging the attack into a phishing-as-a-service kit with automated code generation, domain shadowing, and browser-in-the-browser techniques, threat actors have lowered the barrier to entry dramatically.

Microsoft observed attackers conducting 10–15 days of reconnaissance before launching campaigns, confirming target accounts and mapping tenant structures. The Cloud Security Alliance documented a 37x surge in enterprise account takeovers via this vector. This is no longer a proof-of-concept — it's productionized cybercrime.

How to Defend Against It

Device code authentication is a legitimate and useful protocol. The solution isn't to disable it entirely, but to add layers of visibility and control:

  1. Audit device code usage: Review Azure AD / Entra ID sign-in logs for device code authentication events. Flag unexpected locations or times.
  2. Restrict device code flows: Use conditional access policies to limit device code authentication to specific IP ranges, compliant devices, or trusted networks.
  3. Monitor for anomalous OAuth grants: Track OAuth consent grants and token issuance patterns. Unusual refresh token lifespans or new device registrations warrant investigation.
  4. User education: Train users that device codes should only be entered for devices they physically initiated setup on. A code arriving via email or document preview is a red flag.
  5. Email security layers: Advanced email filtering that detects conversation thread hijacking, compromised legitimate domains, and serverless-hosted phishing pages can stop the lure before it reaches the inbox.

The Bottom Line

EvilTokens represents a fundamental shift in phishing economics. When attackers no longer need to build convincing fake login pages, harvest credentials, or crack MFA — when they can simply ask users to authenticate themselves on the real site — the cost of entry drops and the success rate skyrockets.

The next time you see a device code prompt, ask yourself: Did I initiate this? If the answer is no, you're not verifying your identity. You're handing your identity to someone else.