Book a meeting →

Push Logo
On-Demand Webinar

Threat research webinar: Device code phishing in 2026

At the start of 2026, device code phishing was still a niche technique associated with Russian state-linked campaigns. Six months later, we’re tracking 18x kits in the wild, a 37x spike in detections, and it feels like every PhaaS vendor in the AiTM space has added device code phishing to their platform.


What was an espionage-grade technique 18 months ago is now a criminal commodity.


Device code phishing is the go-to for criminals in 2026 because it doesn’t matter what login controls you have deployed. Strong passwords, MFA, even passkeys: it sidesteps the standard login process altogether by targeting the authorization layer. This is effectively post-auth phishing.


Once an attacker has a valid token, a single phished session can quickly escalate into broad access across an organization's connected apps and services.

Join Luke Jennings, Push's VP of R&D, for a threat research-focused session that goes behind the scenes of device code phishing — with live demos, real examples from kits and campaigns in the wild, and a practical look at what security teams can do about it. We'll cover:

Real examples from the most notable kits and campaigns Push is tracking in the wild
Live demos of device code phishing from the attacker's side — across both Microsoft and non-Microsoft apps
Learn how browser telemetry provides the data and context needed for effective response.
How AiTM kits and device code phishing are converging into multi-technique platforms
Mitigation strategies, their practical limitations, and the gaps that remain

This event is designed for both hands-on practitioners and security leaders looking to translate technical capabilities into tangible response outcomes.

Push forward double slash
Luke JenningsVP Research
Complete the form below
Subscribe to mailing list for content updates
Trusted by
Sophos
Gitlab
Thinkst
Cribl