See the matrix →

Push Logo
On-Demand Webinar
Threat research webinar: Device code phishing in 2026

At the start of 2026, device code phishing was still a niche technique associated with Russian state-linked campaigns. Six months later, we’re tracking 18x kits in the wild, a 37x spike in detections, and it feels like every PhaaS vendor in the AiTM space has added device code phishing to their platform.


What was an espionage-grade technique 18 months ago is now a criminal commodity.


Device code phishing is the go-to for criminals in 2026 because it doesn’t matter what login controls you have deployed. Strong passwords, MFA, even passkeys: it sidesteps the standard login process altogether by targeting the authorization layer. This is effectively post-auth phishing.


Once an attacker has a valid token, a single phished session can quickly escalate into broad access across an organization's connected apps and services.

Join Luke Jennings, Push's VP of R&D, for a threat research-focused session that goes behind the scenes of device code phishing — with live demos, real examples from kits and campaigns in the wild, and a practical look at what security teams can do about it. We'll cover:

Real examples from the most notable kits and campaigns Push is tracking in the wild
Live demos of device code phishing from the attacker's side — across both Microsoft and non-Microsoft apps
Learn how browser telemetry provides the data and context needed for effective response.
How AiTM kits and device code phishing are converging into multi-technique platforms
Mitigation strategies, their practical limitations, and the gaps that remain

This event is designed for both hands-on practitioners and security leaders looking to translate technical capabilities into tangible response outcomes.

Push forward double slash
Luke JenningsVP Research
Complete the form below
Trusted by
Sophos
Gitlab
Thinkst
Cribl