logo

Report: Device Code Phishing is Surging

ID: 2ede5201-c418-5592-aa61-bf1d28ce0a3b

STIX ID: report--2ede5201-c418-5592-aa61-bf1d28ce0a3b

Feed Name: KnowBe4 Blog

Threat Score
75/100

Date Published: 2026-06-25

Date Updated: 2026-06-26

Author: KnowBe4 Team

...
...

LevelBlue reports a rapid rise in device code flow phishing campaigns that exploit Microsoft’s authentication flow to harvest Microsoft 365 access and refresh tokens without capturing passwords, enabling account takeover and persistent access. Major commodity phishing kits and PhaaS platforms (Tycoon2FA, EvilTokens, Kali365, Ghost Hub, Cyb3r) have incorporated this capability—Tycoon2FA notably resumed operations after a takedown with device code features—making sophisticated token-harvesting attacks accessible to both skilled and low-skilled actors.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.