Webinar Series - On Demand
Threat research webinar:
Device code phishing in 2026
Join the latest webinar from Push Security VP Research Luke Jennings, showcasing the evolution in device code phishing kits and how device code logins are abused in real-world attacks.

Got questions for John or Luke?
Agenda: Device code phishing in 2026
Behind-the-scenes demos, real kits, and where it’s headed next.
At the start of 2026, device code phishing was still a niche technique associated with Russian state-linked campaigns. Six months later, we’re tracking 18x kits in the wild, a 37x spike in detections, and it feels like every PhaaS vendor in the AiTM space has added device code phishing to their platform.
What was an espionage-grade technique 18 months ago is now a criminal commodity.
Device code phishing is the go-to for criminals in 2026 because it doesn’t matter what login controls you have deployed. Strong passwords, MFA, even passkeys: it sidesteps the standard login process altogether by targeting the authorization layer. This is effectively post-auth phishing.
Once an attacker has a valid token, a single phished session can quickly escalate into broad access across an organization's connected apps and services.
Join Luke Jennings, Push's VP of R&D, for a threat research-focused session that goes behind the scenes of device code phishing — with live demos, real examples from kits and campaigns in the wild, and a practical look at what security teams can do about it. We'll cover:
- Real examples from the most notable kits and campaigns Push is tracking in the wild
- Live demos of device code phishing from the attacker's side — across both Microsoft and non-Microsoft apps
- How AiTM kits and device code phishing are converging into multi-technique platforms
- Mitigation strategies, their practical limitations, and the gaps that remain
- The future of device code phishing — and why Microsoft targeting is just the beginning
Agenda: Why the Browser is the New Battleground
The browser is the new endpoint, and it's under attack. Attacks are happening entirely inside the browser sandbox, targeting applications directly over the internet, and blending in with legitimate web and network traffic, application access, and user activity. This is a significant challenge for security teams. Existing security tools can't get visibility of what's happening inside the browser. Attackers know this, and are ruthlessly exploiting the browser blindspot. This is fuelling a lot of attacker innovation, with new tools and techniques constantly emerging. Push Security VP R&D Luke Jennings is joined by John Hammond, Senior Principal Security Researcher at Huntress, to demonstrate the latest browser-based attack techniques. Ride along with Luke and John as they analyse real-world attacks, covering:
- ConsentFix, the browser-native ClickFix attack linked to Russian APTs
- Session-stealing, MFA-bypassing phishing campaigns targeting enterprises over LinkedIn and Google Ads
- The latest social engineering tradecraft and detection evasion techniques
- What the future of browser-based attacks looks like and what security teams can do about it