Device code phishing surges as ASD warns Microsoft 365 users

The Australian Signals Directorate has warned that Australian Microsoft 365 users are being targeted by device code phishing attacks, with Proofpoint research linking the rise to publicly available criminal toolkits and the growth of phishing-as-a-service platforms.

The ASD said it had received multiple reports. The attacks abuse a legitimate Microsoft sign-in process — they do not involve stealing passwords.

“The phishing activity doesn’t steal passwords or multi-factor authentication (MFA) codes. Nor is it a technical flaw in Microsoft systems. Instead, users are deceived into approving access for a device or application controlled by a malicious cyber actor.”
— Australian Signals Directorate

Device code phishing works through the OAuth device authorisation flow, a pathway Microsoft built for hardware that cannot run a full browser — smart TVs, printers, command-line tools. When a user signs into one of these devices, Microsoft 365 generates a short alphanumeric code and tells the user to enter it at a separate login page to finish authentication.

Attackers exploit this sequence. They request a valid code from Microsoft’s servers, then deliver it to the target via a phishing email, a Teams message, or a fake login page dressed as a Microsoft prompt. If the victim enters the code and approves the sign-in, the attacker walks away with OAuth access and refresh tokens — no password, no MFA code required.

“However, malicious cyber actors are now using automated systems and AI to request legitimate fresh codes at the exact moment a victim clicks, making the attack more reliable and far more likely to succeed.”
— Australian Signals Directorate

From red teams to criminal toolkits

Proofpoint’s threat research, released alongside the ASD advisory, traces the technique’s trajectory from niche red-team tooling to the criminal mainstream. Proofpoint found that threat actor TA4903 adopted device code phishing in March 2026 and now uses it almost exclusively. Seven near-identical variants surfaced in a single 10-day window in April.

“The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings.”
— Proofpoint

The timeline has moved fast. Researchers first described the technique in 2020, when only red teams and a handful of advanced threat actors were using it. Public criminal toolkits surfaced in late 2025.

By February 2026, the EvilTokens phishing-as-a-service platform was advertising on Telegram, according to PushSecurity researchers who have tracked the threat since it emerged. Within a month, TA4903 and other groups had made device code phishing their primary access method.

The ASD urged Microsoft 365 administrators to review authentication settings and disable device code flows where they are not needed. Organisations that use the flow should configure conditional access policies, limit which devices and locations can begin authentication, and monitor for unusual sign-ins — authentications from unfamiliar device types or locations that do not match typical user patterns, the directorate said.

Device code phishing is dangerous because it sidesteps the protections organisations have spent years deploying. Multi-factor authentication stops credential harvesting cold. It offers no defence when the attacker steals the authenticated session itself — the token, not the password, is the prize. Australian government agencies and enterprises that have rolled out MFA across their Microsoft 365 tenants remain exposed unless they have also locked down device code flows, eSecurity Planet noted.

For Australian defenders, the advisory comes as federal and state agencies deepen their reliance on Microsoft 365, and as the ASD’s own Essential Eight maturity framework treats multi-factor authentication as a baseline control. Device code phishing exposes a gap in that model: strong authentication at the front door means little if the session token can be taken through a side entrance.

The advisory is the latest in a string of ASD warnings on Microsoft technologies this year. The directorate has pointed to the commercialisation of phishing toolkits — and the injection of automation and AI into attack workflows — as a shift Australian defenders cannot ignore.