The Australian Signals Directorate (ASD) has issued a public warning to Microsoft 365 users about device code phishing, saying it has received a number of reports of Australian users being actively targeted. The advisory comes as Proofpoint threat researchers report a rise in campaigns abusing the OAuth 2.0 device authorisation flow to gain access to enterprise accounts.
Device code phishing is designed to trick a user into entering an attacker-provided code into Microsoft’s legitimate device login page, enabling the attacker to obtain authentication tokens and access the victim’s Microsoft 365 account. Proofpoint said the technique has been used since at least 2020 by red teams and some threat actors, but became more common in recent years.
According to Proofpoint, the increase has coincided with the public release of criminal toolkits in late 2025 and the availability of phishing-as-a-service (PhaaS) offerings that package the technique for wider use. The company said most observed activity uses “vibe coded” approaches, where attackers appear to use AI-generated code or prompts to produce near-identical attack flows, though attribution of how tools are created remains unclear.
Proofpoint said the technique largely targets Microsoft accounts, but it has also observed Google-themed campaigns at lower volumes. The firm added that campaigns often use “account takeover jumping”, where a compromised account is used to send further phishing messages to the victim’s contacts.
In observed campaigns described by Proofpoint, initial lures deliver a URL via email in a variety of formats, including embedded buttons, hyperlinked text, documents, attachments, or QR codes. Visiting the URL initiates a sequence that leverages Microsoft’s device authorisation process. Proofpoint said a key change driving adoption is on-demand code generation: instead of sending a code that may expire before a target acts, newer kits generate a device code dynamically when a user clicks the phishing link, allowing the recipient to start the flow at any time.
Proofpoint said these updated attack chains can be bought through PhaaS offerings, including services it names as EvilTokens and Tycoon, or developed by individual threat actors. Successful attacks can enable account takeover, data theft, fraud, business email compromise, lateral movement, and ransomware, the company said.
As an example of the current ecosystem, Proofpoint said EvilTokens is a prominent device code PhaaS option first advertised on Telegram in February 2026. It described the service as using landing pages themed around brands such as Microsoft, Adobe and DocuSign, and noted that affiliates can pay for tooling to manage multiple compromised Microsoft 365 accounts—capabilities associated with scaling business email compromise operations. Proofpoint cited prior reporting by Sekoia on EvilTokens’ operations.
Proofpoint also reported that it has observed multiple kits that resemble EvilTokens but differ in API endpoints and HTML headers, enabling researchers to distinguish variants. In one 10-day window in April 2026, it said it observed around seven device code phishing variants that looked nearly identical.
The company said it is unclear whether EvilTokens copied an existing kit and monetised it, or whether other actors are copying or updating EvilTokens using AI tools, adding it is possible both dynamics are happening.
Proofpoint highlighted a shift by one actor it tracks as TA4903, which it said began using device code phishing in March 2026 and now appears to use it almost exclusively. In a campaign observed in April 2026, Proofpoint said TA4903 impersonated a human resources contact and sent salary-notification emails containing a PDF with a QR code. When scanned, the code redirected through a Cloudflare Workers URL to a filtering page and then to a landing page impersonating DocuSign and Microsoft hosted on Cloudflare Workers, according to the researchers. The landing page provided a “signing code” and instructions to log in and enter the device code during the authentication flow, Proofpoint said.
In other campaigns, Proofpoint said it observed blank email bodies paired with PDF attachments containing QR codes—patterns that may indicate automation or poor operational discipline. It also said device code phishing campaigns are appearing in multiple languages, targeting organisations globally.
Proofpoint reported that some threat actors previously associated with adversary-in-the-middle (AiTM) phishing are pivoting to device code phishing. Following a disruption in February 2026 affecting Tycoon 2FA infrastructure, Proofpoint said the operator began selling device code PhaaS as part of its offerings. It also said it identified ODx—tracked as Storm-1167 and FlowerStorm—providing device code capabilities alongside AiTM offerings, and described ODx device code functionality as using Kali365, another PhaaS kit.
For defenders, Proofpoint said mitigations remain consistent regardless of which kit is used. It recommended blocking device code flow where possible through Conditional Access policies using the “Authentication Flows” condition, initially using report-only mode or reviewing historic sign-in logs to assess impact. Where blocking is not feasible, it suggested using allow lists by use case, such as limiting device code authentication to approved users, operating systems or IP ranges through named locations.
Proofpoint also recommended requiring sign-ins to originate from compliant or joined devices in environments using device registration or Intune, as part of a defence-in-depth approach. It said user awareness training should be updated to address device code phishing, noting that traditional guidance focused on checking URLs may not help when users are directed to enter codes on a trusted Microsoft portal.
