Skip to content

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology
  • Cybercriminals

The “EvilTokens” Surge: Why Device Code Phishing Exploded 37-Fold in 2026

by Nam Phong · April 7, 2026

The architecture of account exploitation is undergoing a profound metamorphosis, as adversaries increasingly eschew traditional subversion in favor of co-opting legitimate authorization frameworks. At a cursory glance, the procedure appears innocuous; however, therein lies the quintessence of the peril: the victim unwittingly unlatches the gates to their own sanctuary, oblivious to the underlying artifice.

Specialists have chronicled a precipitous surge in offensives leveraging “Device Codes”—an escalation exceeding 37-fold within a singular calendar year. This phenomenon involves the systemic abuse of the OAuth 2.0 Device Authorization Grant, a protocol originally conceived to facilitate seamless authentication for apparatuses lacking keyboards or possessing constrained input capabilities, such as smart televisions, printers, or IoT peripherals.

The offensive trajectory is strikingly uncomplicated. An assailant initiates an authorization request to secure a bespoke code, which is then surreptitiously conveyed to the victim under various pretenses—frequently via electronic missives or instant messaging conduits. Once the user enters this code upon an authentic login portal, they effectively validate access to their account, granting the adversary valid tokens and absolute dominion over the session.

While this technique has been recognized since 2020, its ubiquitous application has only recently matured. It is no longer a localized anomaly; the method is now wielded en masse by both fiscally motivated syndicates and highly orchestrated state actors.

The Push Security vanguard observes that the proliferation of this threat has been catalyzed by sophisticated toolkits marketed under the “Phishing-as-a-Service” model. Most prominent is the EvilTokens suite, which has significantly lowered the barrier to entry, rendering such incursions accessible even to neophyte actors. Concurrently, a burgeoning ecosystem of rival platforms is emerging to contest this niche.

Notable among these are VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, and DOCUPOLL. The majority of these frameworks masquerade as ubiquitous SaaS environments, including Microsoft 365, DocuSign, Adobe, and corporate collaboration tools like Teams. To augment their efficacy, these platforms employ anti-bot filtrations, fraudulent landing pages, and cloud-based infrastructures.

Certain kits meticulously simulate legitimate professional workflows, such as the dispatch of documents for signature or notifications from human resources. This tactical refinement mitigates suspicion, increasing the likelihood that a user will input the code without hesitation.

Experts counsel the restriction of Device Code authorization in environments where its utility is non-essential. Furthermore, the rigorous interrogation of authentication logs—monitoring for unsolicited authorization attempts, anomalous IP addresses, and irregular session behaviors—remains a vital defensive measure. The ascendancy of such offensives illustrates that marauders are increasingly predicated not upon technical vulnerabilities, but upon the weaponization of user trust and the legitimate mechanisms of modern services.

Related coverage

  • Poisoned Tenant Attack Abuses OpenAI Organization Invites
  • CL-STA-1062 Cyber Espionage Targets Southeast Asia
  • Poland Busts SIM Swapping Gang Behind Crypto Theft
  • Iranian Hacker Arrested in Montenegro Over US Cyberattacks
  • The $1.7 Million Taiko Network Bridge Hack Explained

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: Account TakeoverCybersecurity 2026Device Code PhishingEvilTokensInfosecMicrosoft 365OAuth 2.0Phishing-as-a-ServicePush SecurityToken Theft

Follow:

  • Next story The Gemini Trap: How a Fake AI Token Checker Stealthily Hijacks Developer Workstations
  • Previous story Cultural Crisis: How the Vivaticket Ransomware Attack Paralyzed the Louvre and 3,500 European Landmarks

  • Recent Posts
  • Popular Posts
  • Tags
  • Android signing key leak diagram showing exposed keystore and APK re-signing risk

    Data Leak

    Android Signing Key Leak Exposes 278 Apps to Fake Updates

    July 3, 2026

  • Mustang Panda Zoho WorkDrive malware attack targeting India energy sector

    Malware

    Mustang Panda Exploits Zoho WorkDrive in Cyber Espionage

    July 3, 2026

  • Apple Hide My Email vulnerability analysis exposing real Apple ID email addresses

    Data Leak

    Apple Hide My Email Vulnerability Exposes Real Addresses

    July 3, 2026

  • FortiBleed malware campaign analysis showing FortiGate firewall compromises by INC Ransom

    Malware

    FortiBleed Malware Campaign Linked to INC Ransom

    July 3, 2026

  • BioShocking AI browser attack diagram showing prompt injection bypassing guardrails

    Data Leak

    BioShocking: How a Fake Game Tricks AI Browsers Into Leaking Secrets

    July 3, 2026

  • Iranian cyberattacks on Israel cyber war graphic

    Cyber Security

    Iranian Cyberattacks on Israel Triple in 2026

    July 2, 2026

  • SolydXK 10.4 released: based on Debian Buster

    Linux

    SolydXK 10.4 released: based on Debian Buster

    September 27, 2019

  • OpenSUSE Leap 15.4 Beta releases, Linux distributions

    Linux

    OpenSUSE Leap 15.4 Beta releases, Linux distributions

    May 30, 2020

  • Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    Linux

    Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    March 1, 2019

  • GhostBSD 23.10.1 released, FreeBSD distribution

    Linux

    GhostBSD 23.10.1 released, FreeBSD distribution

    May 1, 2020

  • AI AI security Android Apple APT BOTNET China CISA cloud security cryptocurrency cyberattack cybercrime Cyber Espionage cybersecurity Cybersecurity 2026 data breach Github google hacking Infosec InfoSec 2026 Infostealer Linux Linux Kernel malware Microsoft network security open source Penetration Testing phishing privacy privilege escalation Prompt Injection ransomware RCE remote code execution security Social Engineering supply chain attack Tech News 2026 threat intelligence vulnerability windows Windows 11 zero-day
  • Home
  • About Us
  • Contact Us
  • DMCA NOTICE
  • Privacy Policy

Information Security News © 2026. All Rights Reserved.

Powered by  - Designed with Hueman Pro