Estimated reading time: 7 minutes
May 27, 2026 · by TorchLight · in Cybersecurity Briefings
Since February, security researchers at have tracked an active device code phishing campaign that has compromised identities at more than 340 organizations across the United States and 4 other countries. The targets are a cross-section of regulated America: construction, financial services, healthcare, legal, government, and nonprofits. None of them lost a password. Unfortunately, they lost something more durable than that.
How a six-digit code becomes a stolen office
Microsoft, Google, and most identity providers offer a feature called the OAuth device authorization flow. It was built for the kindest possible reason. Smart TVs, conference-room displays, and other devices that cannot easily show a full login screen need some way to authenticate to your account. So the system gives the device a short code and asks the user to type that code into a real, official login page on their phone or laptop. Once entered, the device is granted access tokens that act as the digital equivalent of a key, generally referred to as device code phishing.
That mechanism is now being used against the people it was designed to serve.
Here is the attack as it actually plays out. An attacker requests a device code from Microsoft on their own machine. Microsoft, doing what it is supposed to do, generates a legitimate code and waits for someone to verify it. The attacker emails a victim, usually impersonating a DocuSign envelope, a voicemail notification, or a construction bid: please go to microsoft.com/devicelogin and enter this code to access the document. The victim does. The Microsoft page is real. The MFA prompt is real. The code is real. The whole transaction is technically textbook.
And at the end of it, the attacker, not the victim, is holding the access token.
The campaign that hit 340 organizations (without a single password)
Researchers at Huntress first picked up the activity on February 19, 2026. Within weeks the case count had crossed 340 instances. ANY.RUN, which runs an interactive malware sandbox, logged more than 180 malicious URLs tied to this same technique in a single week. Palo Alto Networks’ Unit 42 documented a near-identical campaign starting one day earlier, on February 18, expressing the volume and speed that these attacks can multiply and grow.
The infrastructure tells you who is doing this at scale. Most of the phishing pages were hosted on Cloudflare Workers domains (the kind that ends in workers.dev), because corporate web filters tend to trust Cloudflare. Captured sessions were funneled through a small cluster of IPs on a platform-as-a-service called Railway, where three IP addresses accounted for roughly 84% of observed events. This is industrial.
The lure changes by industry: Construction firms get bid invitations. Real estate offices get DocuSign envelopes. Manufacturers get supplier portals. Healthcare practices and credit unions get voicemail notifications and “secure document” prompts that look exactly like the ones their vendors actually send.
There is even a phishing-as-a-service kit selling this attack on Telegram, called EvilTokens, with documentation, 24/7 customer support, and a feedback channel. According to French cybersecurity firm Sekoia, the operator already plans to extend the kit to Gmail and Okta phishing pages. Their words: “a turnkey Microsoft device code phishing kit.“
Regulators are watching this
Credit unions answer to the NCUA, the federal regulator that examines them for cybersecurity adequacy. Healthcare providers answer to OCR, the federal agency that enforces HIPAA. RIA firms answer to the SEC under Reg S-P, the rule that governs how investment advisers protect client information. The way these tokens work are the reason the red flags are going up. A stolen access token will expire on its own in roughly an hour. A stolen refresh token can keep producing fresh access tokens for weeks. Resetting the user’s password does not invalidate it. Resetting MFA does not invalidate it. The only way to evict the attacker is to explicitly revoke the tokens themselves, which is not something most mid-market organizations have ever done outside of an active incident.
For a regulator, the discoverable trail of a password-based breach is relatively clean. There’s a login event, there’s a credential reset, there’s a notification timeline… The trail of a token-based breach is much quieter. The attacker uses the legitimate Microsoft authentication endpoint, behaves like a normal user, and may sit inside email or SharePoint for weeks before anyone notices the mailbox rule quietly forwarding finance conversation to an attacker-controlled inbox.
What “ready” actually looks like for this specific threat
There is no single product purchase that solves device code phishing. There is a short list of configurations and habits that close the most common gaps, and most of them are free.
In Microsoft Entra ID (formerly Azure AD), the device code flow can be disabled or restricted by conditional access policy for most users. Organizations that do not legitimately use device-code authentication for Teams Rooms, kiosks, or shared displays usually have no business leaving it on by default. Conditional access policies can also flag logins from unfamiliar geographies or block sign-ins originating from platform-as-a-service IP ranges where no employee should ever be authenticating from.
Sign-in logs and unified audit logs need a real human looking at them, on a real cadence, with a real definition of what is normal for the tenant. That’s the work that gets skipped in mid-market shops because the IT generalist has fourteen other priorities. It is also the work that catches a token replay before it becomes a wire fraud incident.
Token revocation needs to be a known runbook, not a Google search performed during an incident. The Microsoft Graph API supports a one-line command to invalidate all refresh tokens for a user. Whether your team knows that, and has practiced it, is the difference between a six-hour containment and a six-week one.
User training matters less than it used to in this category. A motivated employee following a polished DocuSign lure will enter the code. Training is not the last line of defense here. Configuration is.
The piece nobody wants to talk about yet
The reason this technique is spreading is because device code flow exists in basically every modern OAuth ecosystem, and a generation of mid-market organizations rolled out Microsoft 365, Google Workspace, and Okta without ever turning a single knob on the way it behaves. EvilTokens is selling a kit, and Sekoia expects Gmail and Okta versions to follow within the year. The attack surface is everyone who has an identity provider, which is to say, everyone.
If your organization serves members, patients, or high-net-worth clients, the calculus is not “could this happen to us.” It is “would we know if it already had.” A managed security service provider or a virtual CISO on retainer can answer that question with a date attached. The internal IT team usually can’t, because reviewing OAuth token lineage was never what they were hired to do.
The uncomfortable part of device code phishing is that the user did everything right by the old definition. They went to a real Microsoft page, they entered real MFA, and they followed instructions in an email that looked normal. The defense lives upstream of the click in how identity infrastructure is configured before any phishing email arrives.
Three questions worth sitting with:
1. Do you know if device code flow is enabled in your Microsoft or Google tenant?
2. Could anyone on your team list which third-party OAuth applications currently hold refresh tokens to user accounts?
3. If a token replay attack happened in your environment this morning, when would you find out?
We’re curious which one stings the most. Comments are open.
TorchLight specializes in managed security services for organizations where security and compliance are non-negotiable. With 18+ years serving regulated industries, 24/7 SOC operations, and deep regulatory fluency across GLBA, HIPAA, and SEC requirements, TorchLight delivers security operations leadership can defend.
Ready to explore what partnership looks like? Schedule a consultation to discuss your organization’s specific security needs and regulatory requirements.