Device Code Phishing Campaigns Surge 37 Times in 2026

Device code phishing campaigns surged approximately 37 times in 2026, driven by automated kits exploiting the OAuth 2.0 Device Authorization Grant flow. Attackers use this technique to steal access tokens and, in many cases, refresh tokens, enabling account hijacking without requiring passwords. The rise is attributed to new phishing kits that streamline the abuse of OAuth protocols. No specific threat actors, affected organizations, or CVE identifiers were mentioned in the report. The attack method bypasses traditional authentication safeguards by leveraging legitimate OAuth mechanisms.