Device Code Phishing is an Evolution in Identity Takeover
Proofpoint US, Wednesday, May 13th, 2026
Device code phishing attacks are rapidly escalating as criminals leverage new tools and techniques to bypass MFA and compromise enterprise accounts.
Device code phishing has emerged as a critical evolution in identity takeover attacks, with criminal toolkits and phishing-as-a-service offerings accelerating its prevalence across the threat landscape. These attacks exploit the legitimate OAuth 2.0 device authorization flow to compromise Microsoft 365 and other enterprise accounts by tricking users into approving malicious applications. Recent innovations include on-demand code generation that bypasses the previous 15-minute expiration limitation, making attacks more effective at scale.
Successful attacks can result in full account takeover, data theft, business email compromise, and lateral movement within organizations. As organizations improve defenses against traditional MFA phishing, threat actors are increasingly adopting device code and OAuth phishing techniques combined with LLM-generated tools to target more victims with sophisticated social engineering.