GoKawiilDevice code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year.
In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts.
Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker's device to access the account through valid access and refresh tokens.
This flow was designed to simplify connecting devices that do not have accessible input options (e.g., IoT devices, printers, streaming devices, and smart TVs).
Device code phishing flow
Source: Push Security
The device code phishing technique was first documented in 2020, but malicious exploitation was recorded a few years later, and has been used by both state-hackers and financially-motivated ones [1, 2, 3, 4].
Researchers at Push Security observed a massive increase in the use of these attacks, warning that they have been widely adopted by cybercriminals.
“At the start of March (2026), we’d observed a 15x increase in device code phishing pages detected by our research team this year, with multiple kits and campaigns being tracked — with the kit now identified as EvilTokens the most prominent. That figure has now risen to 37.5x.” - Push Security
Earlier this week, threat detection and response company Sekoia published research on the EvilTokens phishing-as-a-service (PhaaS) operation. The researchers underline that it is a prominent example of a phishing kit that “democratizes” device code phishing, making it available to low-skilled cybercriminals.
... continue reading