A new phishing-as-a-service kit is making the rounds, and this one is a serious concern. According to a report from the FBI, the kit lets attackers bypass multi-factor authentication (MFA) on cloud email and productivity accounts without ever needing to steal a password.
MFA is one of the most effective and widely recommended ways to secure online accounts, stopping up to 99% of account-based attacks. So when an attack has a workaround for this critical security feature, it is worth paying attention to. Here is what you need to know.
Convenient Logins, Manipulated
Have you ever linked one of your accounts, such as an online account or streaming service, to a smart TV, but instead of typing a password you just entered a short code or approved a prompt?
This is called device-code login. It is a quick and easy way to connect a device without repeatedly entering your password or MFA prompts, especially when you do not have access to a computer or keyboard. When used correctly, it is convenient and secure.
However, attackers have learned how to exploit this process to trick users into approving logins they never intended to grant. It is this exact technology that the phishing kit takes advantage of.
The Attack in Action
You receive an email. Someone is trying to share a document with you through a document-signing service. All you need to do is follow the verification steps included in the email.
What you do not realize is that this is a phishing email, and right now an attacker is actively trying to gain access to your cloud account.
On the attacker’s side, they have started a real device-code login process with your cloud provider. The provider generates a temporary eight-digit code tied to that login attempt and tells them to enter the code on a sign-in page to continue. That code is what links their session, similar to when you sign into an app on your smart TV using a code instead of a password.
The attacker then takes that real code and disguises it inside the fake document-sharing email. To you, it just looks like a normal verification step. You click “Open” and are taken to a legitimate sign-in page. It looks official because it is a real provider website. But instead of verifying a document, you are actually completing the attacker’s login request for them.
You type in the code, hit submit, and just like that you have granted an attacker access to your account.
On the provider’s side, nothing looks wrong. The request appears legitimate, so it approves the login as if it were you. No password was stolen, and MFA was considered successful. You simply approved a session without knowing it.
Even worse, once access is granted, the attacker can maintain persistent access to your account. They will not need to log in again as long as that access remains active. That is exactly what makes this so dangerous.
Why Phishing-as-a-Service Makes This Worse
What makes this attack especially dangerous is how easy it is for attackers to use. Kits like this are part of what is called phishing-as-a-service: subscription-based hacking tools. Instead of needing advanced skills, attackers can pay for access and get premade, ready-to-go phishing kits.
These platforms can include:
- Pre-built phishing pages that look like legitimate login screens
- Automated campaign tools that send out phishing emails with fake login links
- Dashboards that track who clicked and who entered codes
- AI-generated messages designed to trick users into clicking
In the past, these types of attacks required technical expertise and years of experience. Now, they can be run by almost anyone willing to pay for them.
How to Stay Safe
This is a powerful phishing technique, but there are several ways you can keep your business safe:
- Work with your IT team to limit unnecessary device-code logins and tighten account security settings.
- Be cautious with unexpected sign-in prompts, even if they look like they come from a trusted provider.
- Never copy or enter verification codes unless you are certain the request is legitimate.
- When in doubt, verify through a separate channel by going directly to official websites.
- Report any phishing email or suspicious login attempt to your IT team, or file a complaint with the Internet Crime Complaint Center (IC3).
The Bottom Line
This phishing kit is particularly dangerous because it uses legitimate login requests to trick users into handing over account access. The safest defense is to slow down, question verification prompts, and never grant sign-in access to anything you are not 100% confident about.
At Cytranet, we help organizations stay secure by handling the backend engineering, such as blocking unauthorized device-code sign-in flows entirely, while also training your team to recognize and avoid these threats before they succeed.
If you are looking for a security partner, let’s talk. Working together is the most effective way to stay ahead of modern phishing attacks.
Frequently Asked Questions
What is device-code authentication?
It is a login method commonly used for devices like smart TVs, streaming devices, and apps that make typing passwords difficult. Users enter a code on another device and complete the login process more easily.
How does this phishing kit get around MFA?
It abuses device-code authentication by disguising a real login code inside a phishing email, presented as if it were a normal verification step. The user thinks they are verifying a document, but they are actually granting the attacker access to their account by entering the device code.
How can I protect my business from attacks like this?
The best defense is to limit unnecessary device-code authentication, implement stronger access policies, train employees to recognize phishing attempts, and monitor for suspicious sign-in activity.
About Cytranet
Cytranet is a business-only fiber and telecommunications carrier serving Las Vegas, Nevada and Southern California, and a trusted government and military telecommunications contractor. We provide fiber internet, fixed wireless, broadband, business VoIP, data center and colocation, network security, and related connectivity services, all backed by 24/7/365 support. We build lasting relationships with our clients founded on trust, reliability, and clear communication, helping every organization we serve use technology to stay secure and grow. Connecting Today, Empowering Tomorrow.
