Device Code Phishing Attacks Jump 37x with New Kits
▼ Summary
– Device code phishing attacks, which hijack accounts by abusing the OAuth 2.0 Device Authorization Grant, have surged over 37-fold this year.
– In these attacks, a victim is tricked into entering a code on a legitimate login page, which authorizes the attacker’s device to access their account.
– The technique has been widely adopted, largely driven by phishing-as-a-service kits like EvilTokens that make it accessible to low-skilled cybercriminals.
– Researchers have identified at least 11 distinct phishing kits, such as VENOM and SHAREFILE, that use realistic lures and abuse cloud platforms for hosting.
– Recommended defenses include disabling the device code flow when unnecessary and monitoring logs for unexpected authentication events.
A staggering surge in device code phishing attacks has been documented this year, with malicious activity increasing by more than 37 times. This sophisticated technique exploits a legitimate OAuth 2.0 feature, the Device Authorization Grant flow, which was originally designed to help users connect hardware like smart TVs or printers to online services. Cybercriminals are now weaponizing this function to hijack accounts with alarming efficiency, bypassing traditional multi-factor authentication defenses.
The attack begins when a threat actor initiates a device authorization request with a service provider, such as Microsoft, and receives a unique code. They then present this code to a victim under a false pretext, often through a convincing phishing lure. The target is directed to a legitimate login page, where entering the code authorizes the attacker’s device, granting them valid access and refresh tokens for the victim’s account. While the technique was first documented in 2020, its widespread malicious exploitation is a recent and dangerous trend.
Security researchers at Push Security have tracked this dramatic escalation. “At the start of March, we’d observed a 15x increase in device code phishing pages detected by our research team this year, with multiple kits and campaigns being tracked,” the firm reported. “That figure has now risen to 37.5x.” They identify the EvilTokens phishing-as-a-service (PhaaS) kit as the most prominent driver of this wave, a finding corroborated by threat intelligence firm Sekoia. These kits effectively democratize device code phishing, lowering the barrier to entry for low-skilled criminals.
Push Security notes that while EvilTokens is a major player, a competitive marketplace of at least 11 distinct phishing kits now exists, ensuring the threat persists even if one operation is dismantled. These platforms use realistic lures themed around popular SaaS applications like Microsoft Teams, DocuSign, Adobe, and SharePoint. They also employ anti-bot protections and frequently abuse legitimate cloud infrastructure from providers like Cloudflare, DigitalOcean, and AWS for hosting. Other notable kits include VENOM, a closed-source PhaaS offering, and various themed platforms like SHAREFILE, CLURE, and DOCUPOLL.
For defenders, mitigating this risk requires proactive measures. Organizations are advised to disable the device code flow via conditional access policies wherever it is not explicitly needed for business operations. Security teams should also monitor authentication logs vigilantly for any unexpected device code authentication events, paying close attention to sessions originating from unusual IP addresses or geolocations. This combination of policy control and active monitoring is critical to defending against an attack vector that turns a legitimate convenience into a powerful weapon for account takeover.
(Source: BleepingComputer)