Credential phishing remains an effective technique enabling everything from account takeover and fraud to ransomware and espionage. However, as organisations become better at defending against common phishing techniques such as multifactor authentication (MFA) phishing, cyber threat actors have expanded their capabilities to techniques like device code and OAuth phishing. Criminals are also using AI tools to scale these attacks faster and target more people. The UAE Cybersecurity Council warns that more than 75% of cyber breaches in the country begin with phishing emails or fraudulent messages.
MFA has long been promoted as a critical line of defence — the UAE Cybersecurity Council notes that it blocks more than 99% of identity-related attacks. But device code phishing is specifically designed to circumvent it. The surge of device code phishing is the natural progression of credential phishing: as more people become aware of multifactor authentication bypass techniques, criminals must get creative.
From 2020 to around 2022, red teams and occasionally criminals and espionage threat actors leveraged the device code phishing technique to trick someone into authorising a malicious app on their enterprise email accounts. But the popularity grew in recent years. The publication of criminal device code phishing tools in fall 2025, paired with new innovations in attack chains amplified by “vibe coding” resources, turned the previously obscure technique into a phishing free-for-all.
Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 or other enterprise user accounts by approving access for actor-controlled applications. While the majority of device code phishing campaigns focus on Microsoft accounts, Proofpoint has also observed Google-themed campaigns in significantly lower volumes.
The current device code landscape contains a major difference that has increased the popularity from the original implementations: on-demand code generation. Previously, threat actors would generate a code and send it directly to the recipients, saying they need to enter the code as soon as possible because it expires in 15 minutes. If a target didn’t see the email, or decided to wait, the code would expire and the actor was out of luck. Current iterations address the limitations of the 15-minute expiration window. In most current device code phishing attacks, the code is generated dynamically when a user clicks on the initial phishing link — allowing the user to view the email at any time to kickstart the attack chain.
Successful device code phishing attacks can lead to full account takeover, theft of sensitive information, fraud and business email compromise, lateral movement within a compromised environment, and even disruptive attacks like ransomware.
In device code phishing campaigns, emails can include URLs, attachments with URLs, or QR codes that lead to the device code phishing landing pages. The presented code is unique to the target and the button redirects the user to Microsoft’s legitimate device login portal. If the target enters the provided code into the authentication portal, it allows the threat actor to capture authentication tokens, which can then be used to access the target’s account, including data and other services that the compromised account has access to.
Cybercriminal actor TA4903 began using device code phishing in March 2026, impersonating small businesses and government entities to steal credentials.
In a campaign observed in April 2026, TA4903 used “salary notification” emails containing a PDF attachment with a QR code that, when scanned, redirected to a landing page impersonating DocuSign and Microsoft. Once the user inputs the code at the authentic device authentication portal, the token generated by TA4903 was validated, giving the threat actor access to the targeted Microsoft 365 account.
Similarities can be drawn between the popularity and recent explosion of device code phishing and another favoured technique that also recently took over the threat landscape: ClickFix. ClickFix emerged as a unique social engineering technique in 2024, used by a small number of cybercriminals. In less than a year, ClickFix took off across the landscape, with both cybercrime and espionage threat actors, before becoming a staple of modern threat campaigns used by many different adversaries.
Both ClickFix and device code phishing rely on social engineering: an actor must convince a user to take a risky action and input information somewhere they shouldn’t. Both techniques also started out relatively small, with threat actors appearing to experiment before growing into prominent threats now available to be purchased as services on crime forums. New, effective techniques follow similar patterns: a small number of criminals innovate and once they find success, everyone else follows.
Device code phishing represents the latest evolution in credential theft, exploiting legitimate authentication flows to bypass modern security controls. As security gets better, and users get more knowledgeable, hackers need to try new tricks.
The good news is, defence against device code phishing remains the same, regardless of the kit being used or method of delivery.
- Block device code flow where possible. The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report-only mode to determine the impact for an environment.
- Require compliant or joined devices. If organisations use device registration or Intune, Conditional Access policies requiring that sign-ins originate from a compliant or registered device will protect users from device code phishing. This should be deployed as a defence-in-depth strategy.
- Enhance user awareness regarding device code phishing attacks. Traditional phishing awareness often emphasises checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal. User training should include guidance on not entering device codes received from untrusted sources.