At the start of 2026, device code phishing was still a niche technique associated with Russian state-linked campaigns. Six months later, we’re tracking 18x kits in the wild, a 37x spike in detections, and it feels like every PhaaS vendor in the AiTM space has added device code phishing to their platform.

What was an espionage-grade technique 18 months ago is now a criminal commodity.

Device code phishing is the go-to for criminals in 2026 because it doesn’t matter what login controls you have deployed. Strong passwords, MFA, even passkeys: it sidesteps the standard login process altogether by targeting the authorization layer. This is effectively post-auth phishing.

Once an attacker has a valid token, a single phished session can quickly escalate into broad access across an organization's connected apps and services.

Join Luke Jennings, Push's VP of R&D, for a threat research-focused session that goes behind the scenes of device code phishing — with live demos, real examples from kits and campaigns in the wild, and a practical look at what security teams can do about it. We'll cover:

• Real examples from the most notable kits and campaigns Push is tracking in the wild
• Live demos of device code phishing from the attacker's side — across both Microsoft and non-Microsoft apps
• How AiTM kits and device code phishing are converging into multi-technique platforms
• Mitigation strategies, their practical limitations, and the gaps that remain
• The future of device code phishing — and why Microsoft targeting is just the beginning