John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Three days ago we wrote about EvilTokens and device code phishing becoming a serious problem. That post aged fast.
Push Security now reports device code phishing pages detected in 2026 are up 37.5x. Not percent. Times. At the start of March it was 15x. In weeks, it more than doubled again. The reason? EvilTokens isn’t alone anymore.
There are now at least ten distinct phishing kits exploiting the OAuth 2.0 Device Authorization Grant: VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE. When criminals start cloning each other’s work, you’re looking at a maturing market, not a novelty.
These kits run on Cloudflare Workers, GitHub Pages, AWS S3, and DigitalOcean. Mainstream infrastructure that’s cheap, fast, and blends with legit traffic. Good luck blocklisting AWS. The lure themes cover everything from DocuSign to Microsoft Teams to (I’m not making this up) Dolce & Gabbana branding.
Here’s why this is worse than regular phishing: the victim logs into the real Microsoft login page. No fake domain. No certificate warning. The URL is correct. The padlock is real. The user completes their normal MFA challenge on Microsoft’s actual infrastructure, and the attacker gets a valid session token on the other end. Traditional phishing awareness training is useless here.
If your org doesn’t use device code flow for IoT or headless systems, disable it. Today. Block it through Conditional Access Policy in Azure Entra. It’s a straightforward policy change that kills the entire attack surface.
The window where this was an exotic nation-state technique is long gone. Any script kiddie with a credit card can run this now.