What is OAuth device code phishing?

OAuth device code phishing is an attack that exploits the OAuth 2.0 Device Authorization Grant (RFC 8628) to trick users into authenticating on behalf of an attacker's application. The attacker requests a device code, sends it to the victim via phishing, and collects the resulting access and refresh tokens when the victim completes a genuine MFA-verified sign-in on microsoft.com/devicelogin.

Why does MFA not stop device code phishing?

MFA verifies that the correct user is completing the authentication challenge, but in a device code flow the resulting token is issued to whichever OAuth client ID was used to initiate the request. The attacker controls that client. The victim's MFA challenge is genuine and succeeds, but the tokens land in the attacker's polling loop, not in a browser session belonging to the victim.

How do I block device code phishing with Conditional Access in Microsoft 365?

Create a Conditional Access policy in Microsoft Entra ID targeting All users and All cloud apps. Under Conditions, expand Authentication flows, set Configure to Yes, and check Device code flow. Under Grant, select Block access. Start in Report-only mode for 48-72 hours to audit existing usage, then switch to On. Exclude any users who legitimately need device code flow for headless devices or legacy tooling.

What are EvilTokens and Kali365?

EvilTokens is a Phishing-as-a-Service platform launched in February 2026 that automates device code phishing for Microsoft 365, using Railway.com backend infrastructure and AI-generated lures. Kali365 is a second PhaaS platform first observed in April 2026 and flagged in FBI PSA IC3-PSA260521 issued May 21, 2026. Both are sold through Telegram and provide dashboards, campaign templates, and automated OAuth token capture.

How can I detect device code phishing attempts in Microsoft Entra logs?

In Entra ID sign-in logs, filter by Authentication protocol = deviceCode and Result = Success. Combine this with a filter for empty DeviceDetail.deviceId to isolate unmanaged-device sign-ins, which are high-confidence indicators of phishing. In Microsoft Sentinel, use: SigninLogs | where AuthenticationProtocol == "deviceCode" | where ResultType == 0 | where isempty(DeviceDetail.deviceId). Microsoft Entra ID Protection also raises an Anomalous token risk detection for unusual device code token issuance.

What should I do if a device code phishing attack compromised a user?

Immediately run Revoke-MgUserSignInSession to invalidate all refresh tokens (a password reset alone does not revoke tokens). Audit all OAuth application grants from the compromised account and revoke any unrecognized apps. Check for email forwarding or inbox rules created after the sign-in event. Review Teams and email sent by the compromised account within 24 hours for lateral phishing. Report the incident to the FBI IC3 at ic3.gov.

Cybersecurity5 min read

OAuth Device Code Phishing: How EvilTokens and Kali365 Bypass MFA and What Microsoft 365 Teams Must Do Now

OAuth device code phishing exploits a legitimate Microsoft authentication flow to steal persistent tokens, bypassing MFA entirely. With a 37x surge in 2026 and the FBI warning about Kali365, here is the definitive M365 defense guide.

Idan Ohayon

Microsoft Cloud Solution Architect

June 24, 2026

OAuth device code phishing diagram showing attacker-controlled device flow, victim MFA authentication, and stolen access token exfiltration

Recommended tool: Pluralsight

Level up your security skills with expert-led courses. Free 10-day trial, then access thousands of courses across cloud security, networking, and certifications.

Start free trialRecommended

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

Continue Learning

SOC Analyst Level 1 Roadmap

Get job-ready for your first Security Operations Center role.

Start the Beginner Path10h · 4 topics · 10 quiz questions

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.