OAuth device-code phishing campaign targeting SaaS accounts
Campaign
Summary
Hide ▲
Show ▼
A device code phishing campaign now includes EvilTokens, a phishing-as-a-service kit sold on Telegram that uses the OAuth 2.0 device authorization flow to hijack Microsoft accounts and steal access tokens and refresh tokens for persistent access and BEC. Sekoia reported that the infrastructure had global reach, with the most affected countries including the United States, Canada, France, Australia, India, Switzerland, and the UAE, and the operator says support for Gmail and Okta phishing pages is planned.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
DCloud Uni-App scam website campaign
Campaign
H score70
First: 29.06.2026 14:57
Last: 29.06.2026 14:57
Sources 1
About this happening:
The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...
DCloud Uni-App scam website campaign
CampaignAbout this happening: The **DCloud Uni-App** scam-site campaign has grown into a **236,493-domain** fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The site...
Poisoned Tenant OpenAI organization invite campaign
Campaign
H score35
First: 26.06.2026 20:49
Last: 26.06.2026 20:49
Sources 1
About this happening:
The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
Poisoned Tenant OpenAI organization invite campaign
CampaignAbout this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
Trend
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Enterprise browser users face a rising shadow AI, credential abuse, and browser-native attack trend
TrendAbout this happening: **Enterprise users** are showing a sharp rise in **shadow AI**, **credential abuse**, and **browser-native attack exposure**, increasing risk at the browser layer. The trend matte...
Timeline
-
04.04.2026 17:17 4 articles · 3mo ago
Device code phishing campaign expands across SaaS-themed phishing kits
Campaign Scope UpdatePush Security reported that device code phishing abusing the OAuth 2.0 Device Authorization Grant flow had risen 37.5x this year, with EvilTokens identified as a major driver and at least 11 kits circulating across SaaS-themed lures and cloud-hosted infrastructure. Sekoia separately published research on EvilTokens earlier that week, and Push recommended disabling device-code flow where unnecessary through conditional access policies and monitoring for unexpected device code authentication events, unusual IP addresses, and unfamiliar sessions.
Show sources
- Device code phishing attacks surge 37x as new kits spread online — www.bleepingcomputer.com — 04.04.2026 17:17
- Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing — www.darkreading.com — 17.04.2026 22:05
- New EvilTokens service fuels Microsoft device code phishing attacks — www.bleepingcomputer.com — 01.04.2026 22:42
- New Ghost Phishing Wave Is Breaking Traditional Email Security — thehackernews.com — 08.07.2026 16:00