logo

We Need to Talk About Device Code Phishing

ID: f0d7ef3b-fae8-5f65-9eab-7305178853a6

STIX ID: report--f0d7ef3b-fae8-5f65-9eab-7305178853a6

Feed Name: Huntress Blog

Threat Score
78/100

Date Published: 2026-06-22

Date Updated: 2026-06-25

...
...

This report documents the growing use of device code phishing—an abuse of OAuth device authorization flows—highlighting campaigns by suspected Russian actor Storm-2372 and widespread abuse via PhaaS kits (EvilTokens, Kali365) that harvested OAuth tokens to bypass MFA and compromise hundreds of organizations; it describes the attack mechanics, observed campaign details, and mitigation recommendations including Conditional Access, monitoring new device registrations, and disabling device code flow where operationally feasible.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.