Device Code Phishing Kits Surge 37.5x, Bypass MFA in Entra

◆ DEEP DIVES

1. 01

   Device Code Phishing Industrialized: 11 Kits, 37.5x Growth, and Your MFA Is Irrelevant

   <h3>The Threat</h3><p>Three independent intelligence sources confirm a <strong>37.5x surge in device code phishing</strong> in 2026, driven by at least <strong>11 phishing-as-a-service kits</strong> that have commoditized a technique previously reserved for APT29 and Midnight Blizzard. The attack exploits OAuth 2.0's Device Authorization Grant flow — designed for smart TVs and IoT — to steal persistent OAuth tokens on <strong>entirely legitimate Microsoft login pages</strong>. The victim completes MFA normally and unknowingly grants the attacker a token that persists independently of password resets.</p><blockquote>This isn't a vulnerability. It's a feature being abused at industrial scale — and your default Entra ID configuration permits it.</blockquote><h3>How It Works</h3><p>The attacker generates a device code, wraps it in a SaaS-themed lure (document share, compliance check, IT verification), and the victim enters the code at <code>microsoft.com/devicelogin</code>. After normal MFA, the attacker receives an OAuth access token and refresh token. Refresh tokens provide access for <strong>weeks to months</strong>. Password resets don't invalidate them. Detection signals look like normal token grants.</p><h4>Kit Landscape</h4><table><thead><tr><th>Kit</th><th>Target</th><th>Skill Required</th></tr></thead><tbody><tr><td><strong>EvilTokens/Antibot</strong></td><td>M365 / Entra ID</td><td>Low — full PhaaS</td></tr><tr><td><strong>VENOM</strong></td><td>M365 / OAuth providers</td><td>Low-Medium</td></tr><tr><td><strong>DOCUPOLL</strong></td><td>M365</td><td>Low</td></tr><tr><td><strong>LINKID</strong></td><td>LinkedIn / M365</td><td>Low</td></tr><tr><td>Dolce, DCStatus, Paprika, Flow_Token, DocuPull, Authov, Clure</td><td>Various OAuth</td><td>Low</td></tr></tbody></table><h3>Why Your Defenses Fail</h3><p>Most organizations <strong>monitor credential events but not consent events</strong>. Your SIEM alerts on impossible travel for logins — does it alert on a user granting <strong>Mail.ReadWrite + Files.ReadWrite.All</strong> to an unrecognized application from an unusual location? Traditional phishing uses fake login pages your email gateway can flag; device code phishing uses <em>real Microsoft pages</em>. The token, once granted, provides the full scope of whatever the OAuth application requested — mail, files, directory, APIs.</p><h3>Cross-Source Analysis</h3><p>All three reporting sources agree on the 37.5x growth figure (attributed to Push Security research) and the MFA bypass mechanism. One source identifies 10 kits, another identifies 11 — the discrepancy is minor and likely reflects slightly different tracking windows. All sources agree <strong>EvilTokens is the most popular kit</strong>. MITRE ATT&CK mapping is consistent across sources: <strong>T1528</strong> (Steal Application Access Token), <strong>T1566</strong> (Phishing), <strong>T1550.001</strong> (Use Alternate Authentication Material).</p><hr><h3>Your Response</h3><ol><li><strong>Disable device code flow in Entra ID conditional access today.</strong> Navigate to Conditional Access → New Policy → Target All Users → Grant → Block for Device Code Flow. If specific use cases require it (kiosk, IoT), restrict to managed devices with compliant status only.</li><li><strong>Deploy token monitoring this week.</strong> Forward OAuth token grant events to your SIEM. Build detections for: device code flow from unexpected geolocations, consent to high-privilege scopes from unrecognized apps, and refresh token usage from new IP addresses.</li><li><strong>Enforce app consent governance.</strong> In Entra ID, set 'Users can consent to apps' to No. Require admin consent workflow. In Google Workspace, restrict third-party app access to approved apps only.</li><li><strong>Run M365-Assess.</strong> This free PowerShell 7 tool runs 169 automated checks across Identity, Exchange, Intune, Defender, SharePoint, and Teams — aligned to CIS and CISA SCuBA benchmarks. Prioritize token issuance and conditional access findings.</li></ol>

   Action items

   • Disable OAuth device code authentication flow in Entra ID conditional access for all users except explicitly approved IoT/kiosk scenarios
   • Build SIEM detection rules for device code token grants from unexpected geolocations, consent to high-privilege OAuth scopes, and anomalous refresh token reuse
   • Run M365-Assess (free, 169 checks) against your M365 tenant and remediate token issuance and conditional access findings

   Sources:Fortinet EMS zero-day is live, device code phishing is up 37x, and DPRK is hunting your npm maintainers · Device code phishing just went 37.5x — your MFA won't save you, and 11 kits are already in the wild · OAuth device code phishing just surged 37x — your credential-based defenses won't stop it

2. 02

   Supply Chain Under Siege: Three Distinct Campaigns Targeting Your Dev Toolchain Simultaneously

   <h3>The Convergence</h3><p>Three separate supply chain attack campaigns landed in the same intelligence cycle, each targeting a different link in your software development chain. The cumulative message: <strong>your CI/CD pipeline, your IDE, and your AI proxy layer are all under coordinated nation-state and criminal attack</strong>.</p><h4>Campaign 1: DPRK npm Ecosystem Targeting (Broader Than Axios)</h4><p>Monday's advisory covered the Axios compromise. What's new: Socket Security and DCSO confirm <strong>Bluenoroff (UNC1069)</strong> is systematically targeting maintainers of <strong>Node.js, Lodash, Fastify, Mocha, and Express</strong> — packages forming the backbone of the JavaScript ecosystem. They even targeted Socket Security's CEO, Feross Aboukhadijeh. A separate OtterCookie backdoor is being spread via malicious npm packages. This is not a single-package attack — it's a <strong>campaign against the npm ecosystem's human infrastructure</strong>.</p><h4>Campaign 2: TeamPCP Trivy → LiteLLM → telnyx Cascade</h4><p>TeamPCP compromised <strong>Trivy's GitHub Actions on March 19</strong> — not the scanner binary, but the CI/CD automation layer. Security scanners are granted elevated permissions by design, making them ideal credential harvesters. Stolen credentials were then used to breach <strong>LiteLLM (97M+ monthly downloads)</strong> and telnyx (~800K downloads). LiteLLM is particularly dangerous because it stores API keys for <strong>multiple LLM providers</strong> — OpenAI, Anthropic, Azure — meaning a single compromise exposes your entire AI API key inventory.</p><h4>Campaign 3: UNC4736 Drift Protocol VSCode/Cursor Exploit</h4><p>The most operationally sophisticated attack: DPRK's UNC4736 spent <strong>six months building credibility</strong> with Drift Protocol, depositing over <strong>$1M</strong>, onboarding an Ecosystem Vault, and conducting <strong>face-to-face meetings at conferences</strong> via third-party intermediaries. The payload: a cloned repository exploiting a <strong>VSCode/Cursor silent code execution vulnerability</strong> paired with a malicious TestFlight wallet app. Mandiant attributes this with medium-high confidence.</p><table><thead><tr><th>Campaign</th><th>Target</th><th>New TTP Element</th><th>Blast Radius</th></tr></thead><tbody><tr><td>Bluenoroff npm</td><td>Package maintainers</td><td>Systematic ecosystem-wide targeting</td><td>Billions of downstream installs</td></tr><tr><td>TeamPCP CI/CD</td><td>Trivy → LiteLLM</td><td>Security tool weaponization</td><td>97M+ monthly downloads</td></tr><tr><td>UNC4736 IDE</td><td>VSCode/Cursor users</td><td>$1M deposit + in-person meetings</td><td>Any dev cloning external repos</td></tr></tbody></table><blockquote>Your security scanner just became the attacker's credential harvester, your IDE auto-executes code on workspace open, and DPRK is spending $1M and six months to compromise a single developer. The supply chain attack cost-benefit equation has fundamentally shifted.</blockquote><hr><h3>Your Response</h3><ol><li><strong>Pin all GitHub Actions to commit SHAs, not tags.</strong> Tags are mutable — this is exactly how TeamPCP delivered the Trivy payload. Audit all workflow files this week.</li><li><strong>Rotate all LLM API keys that transited LiteLLM.</strong> If your teams used LiteLLM even experimentally, every OpenAI, Anthropic, and Azure key that flowed through it is potentially compromised.</li><li><strong>Harden VSCode/Cursor: </strong>enable workspace trust, disable automatic task execution on workspace open, restrict extension auto-install from cloned repos. Set <code>task.allowAutomaticTasks: never</code> fleet-wide.</li><li><strong>Deploy npm supply chain monitoring</strong> — evaluate Elastic's open-source Supply Chain Monitor or Socket Security. Run <code>npm audit</code> across all projects and audit for unexpected maintainer changes on critical packages in the past 90 days.</li></ol>

   Action items

   • Pin all third-party GitHub Actions to commit SHAs (not tags) and audit Trivy Action usage for runs since March 19; rotate all secrets accessible to affected workflows
   • Rotate all LLM provider API keys (OpenAI, Anthropic, Azure) that ever transited a LiteLLM proxy instance
   • Enforce workspace trust and disable automatic task execution in VSCode/Cursor across all engineering endpoints via endpoint management
   • Deploy npm/PyPI supply chain monitoring (Elastic Supply Chain Monitor or Socket Security) with alerts for unexpected maintainer changes on critical packages

   Sources:North Korea just poisoned Axios in npm · Fortinet EMS zero-day is live, device code phishing is up 37x · TeamPCP turned your Trivy scanner into a credential harvester · DPRK actors are exploiting VSCode/Cursor to breach crypto firms · LiteLLM supply chain breach hit a $10B AI startup

3. 03

   AI Offensive Capability Now Doubles Every 5.7 Months — Your Threat Models Need Exponential Math

   <h3>The Research</h3><p>Lyptus Research published what may be the most consequential cybersecurity finding of 2026: a <strong>quantified scaling law for AI cyberoffense capability</strong>. Across frontier models from GPT-2 through GPT-5.3 Codex, offensive cyber capability doubles every <strong>9.8 months</strong> on the full 2019–2026 trendline. Restrict to 2024–2026 models and it compresses to <strong>5.7 months</strong> — a superlinear acceleration.</p><p>The methodology is rigorous: 291 tasks calibrated by 10 offensive security professionals, spanning seven established benchmarks (CyBashBench, NL2Bash, InterCode CTF, NYUCTF, CyBench, CVEBench, CyberGym). MIT independently validated the trajectory using METR's framework.</p><h3>What the Numbers Mean</h3><table><thead><tr><th>Metric</th><th>Current State</th><th>Implication</th></tr></thead><tbody><tr><td>Frontier success on 3h tasks</td><td>50% (GPT-5.3, Opus 4.6)</td><td>Mid-tier pentest work automated today</td></tr><tr><td>Task time horizon (50% success)</td><td>~1 week</td><td>Multi-day autonomous attack chains viable</td></tr><tr><td>Open-weight lag (GLM-5)</td><td>5.7 months</td><td>Every adversary gets today's capability by ~Oct 2026</td></tr><tr><td>Capability in Apr 2027</td><td>~4x current</td><td>Your annual threat model is stale on arrival</td></tr></tbody></table><h3>The Proliferation Problem</h3><p>The 5.7-month open-weight lag is the critical finding. Closed-source models have guardrails — usage policies, monitoring, account enforcement. <strong>Open-weight models have none of these controls.</strong> GLM-5 demonstrates that offensive capabilities diffuse into the open ecosystem on short timelines. Fine-tuning for exploit development, removing refusal behaviors, and optimizing for offensive task completion is within the capability of any moderately sophisticated threat actor. <em>This isn't future risk — it's near-term certainty.</em></p><h3>Corroborating Evidence</h3><p>This isn't the only data point. Anthropic's MAD Bugs Initiative demonstrated Claude Opus 4.6 autonomously discovering <strong>500+ high-severity vulnerabilities</strong> across production open-source projects. An AI agent found a <strong>23-year-old heap buffer overflow in the Linux NFS driver</strong> that two decades of human code review missed. The asymmetry between time-to-discover (approaching zero) and time-to-patch (days to weeks) is the critical gap.</p><blockquote>Any defensive strategy that doesn't account for exponential attacker improvement is already obsolete. AI offensive capability doubling every 5.7 months means your annual threat model review cycle produces a document that's outdated before the ink dries.</blockquote><hr><h3>Your Response</h3><p>This is strategic, not tactical — but it demands concrete action:</p><ol><li><strong>Recalibrate threat models quarterly, not annually.</strong> Assume all adversaries — including commodity cybercriminals — have access to AI tooling that automates 50% of tasks requiring 3+ hours of expert offensive work. The Lyptus data gives you citable numbers for board materials.</li><li><strong>Compress your patching cadence.</strong> If your MTTR for critical CVEs exceeds 72 hours, you're exposed. CVEBench specifically measures AI's ability to weaponize published CVEs — every day a patch sits unapplied, AI-augmented attackers have a higher probability of automated exploitation.</li><li><strong>Run an AI-augmented red team exercise this quarter.</strong> Use GPT-5.3 Codex or Opus 4.6 against your production attack surface. Document where AI succeeds, where it fails, and where your detection stack has gaps. This is the single highest-ROI security investment you can make right now.</li><li><strong>Deploy AI-native detection.</strong> Manual SOC triage cannot match AI-speed attack generation. Evaluate AI-augmented SOAR and behavioral analytics platforms that detect AI-characteristic patterns: systematic enumeration, low-variance exploit chains, and superhuman persistence.</li></ol>

   Action items

   • Run an AI-augmented red team exercise using frontier models (GPT-5.3 Codex, Opus 4.6) against your production attack surface and document detection gaps
   • Brief the board on AI-driven cyber risk using Lyptus Research's 5.7-month doubling time to justify accelerated security investment
   • Shift threat model reviews from annual to quarterly cadence with AI capability reassessment built into each cycle

   Sources:AI cyberoffense capability is doubling every 5.7 months — and open-weight models are only 5.7 months behind the frontier · North Korea just poisoned Axios in npm · 23-year-old Linux NFS heap overflow just surfaced · AI offensive capabilities doubling every 6 months