OAuth Device Flow Abuse: 37x Surge in Account Hijacking via Weaponised Phishing Kits
Device code phishing attacks exploiting OAuth 2.0's Device Authorization Grant flow have increased 37-fold this year, with automated kits now widely available. Attackers bypass traditional MFA by tricking users into authorising malicious device registrations, gaining account access without credentials.
Affected
The device code phishing campaign represents a mature shift in account takeover tactics. Rather than stealing credentials or compromising devices, attackers redirect users to legitimate OAuth consent screens where they authorise a new device registration. Once approved, the attacker's infrastructure receives a valid authentication token, bypassing multi-factor authentication entirely because the user themselves completed the legitimate authorisation flow.
The OAuth 2.0 Device Authorization Grant was designed for headless devices without browsers, such as smart TVs and IoT appliances. The flow intentionally separates device initiation from user authorisation: the device requests a code, the user visits a webpage to approve it, and the device polls for confirmation. This design contains an inherent trust assumption that if a user sees their organisation's login page and completes the flow, the request is legitimate. Phishing kits now automate this by creating convincing replica login pages that present device authorisation prompts alongside spoofed organisation branding, convincing users they are approving routine security checks or new device registrations.
The 37x increase reflects both attacker capability maturation and tooling proliferation. Pre-built kits sold in underground forums now bundle OAuth flow interception, user-agent spoofing, and automated token harvesting. Enterprise security teams often overlook device flow activity in logs because it generates legitimate-looking OAuth consent events. The attack bypasses conditional access policies that scrutinise login anomalies but trust the device authorisation path. Organisations using shared OAuth applications across multiple services face compounded risk, as a single compromised device authorisation grants access to all integrated services.
Defenders should implement strict controls on device registration approvals. Organisations must enforce device confirmation notifications, restrict device codes to short validity windows, and require explicit re-authorisation for sensitive operations. Security teams should monitor for unusual device registration patterns, particularly approvals from anomalous geographic locations or at non-business hours. End user training must specifically address device authorisation phishing rather than generic credential theft awareness, as the attack surface differs fundamentally from password compromise. Services should consider enforcing push-based approval for device flows rather than web-based consent, eliminating the phishing vector entirely.
This campaign exposes a broader architectural weakness: authentication flows designed to improve user experience often reduce friction for attackers in equivalent measure. The device flow remains essential for legitimate headless use cases, but its exploitation reveals that security models assuming "user presence" at an authorisation screen provide insufficient assurance without additional verification. The proliferation of attack kits suggests this technique has entered mainstream attacker toolkits, making it a persistent threat for the next 12-18 months.
Sources