Device Code Phishing Attacks Surge 37‑Fold as New Kits Democratize OAuth Credential Hijacking
What Happened — Abuse of the OAuth 2.0 Device Authorization Grant flow has exploded, with observed attacks increasing > 37× in 2026. Open‑source and commercial phishing‑as‑a‑service kits (EvilTokens, VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN) automate the “device code” trick, letting low‑skill actors harvest valid access‑ and refresh‑tokens.
Why It Matters for TPRM —
- Any third‑party service that supports the device‑code flow (SaaS, IoT, streaming, print) becomes a low‑effort entry point for credential theft.
- Compromised tokens can be used to access sensitive corporate data, bypassing MFA and password policies.
- The rapid kit proliferation means the threat surface expands faster than most organizations can patch or re‑architect their OAuth implementations.
Who Is Affected — Cloud‑based SaaS platforms, identity‑as‑a‑service (IDaaS) providers, IoT device manufacturers, enterprise IT departments that rely on OAuth device‑code SSO, and any downstream customers that authenticate through these services.
Recommended Actions —
- Review all OAuth 2.0 implementations and disable the Device Authorization Grant where not required.
- Enforce PKCE, short‑lived device codes, and strict redirect‑URI validation.
- Deploy monitoring for anomalous device‑code requests and token issuance patterns.
- Conduct user‑awareness training focused on “enter‑code” phishing lures.
Technical Notes — The attack leverages legitimate OAuth endpoints; no CVE is involved. Threat actors obtain a device‑code, trick victims into entering it on a spoofed login page, and then receive valid access/refresh tokens. Compromised tokens grant the same privileges as the victim’s account, potentially exposing personal data, corporate documents, and internal APIs. Source: BleepingComputer