Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year, according to security researchers. These attacks exploit a legitimate authentication mechanism designed for devices without keyboards or browsers, turning it into a vector for account compromise.

The dramatic increase in attack volume coincides with the proliferation of new phishing kits specifically designed to automate device code attacks. These toolkits lower the barrier to entry for cybercriminals, enabling less sophisticated threat actors to launch effective campaigns against major platforms that support OAuth device flows.

The attacks typically begin with phishing emails or messages that trick users into visiting malicious websites. Victims are presented with device codes and instructed to enter them on legitimate authentication pages, unknowingly granting attackers access to their accounts. The abuse of legitimate OAuth flows makes these attacks particularly difficult to detect using traditional security measures.

Organizations are advised to implement additional monitoring for unusual device authorization patterns and consider restricting device code flows where not operationally necessary. Security teams should also educate users about recognizing device code phishing attempts and verify any unexpected authentication requests through alternative channels.

The trend reflects the broader evolution of phishing tactics as attackers adapt to improved email security and user awareness. By exploiting trusted authentication mechanisms, threat actors can bypass many conventional security controls while maintaining an appearance of legitimacy that helps evade detection.