Skip to main content
WarningOther

OAuth device code flow phishing — attacker sends XXXX-XXXX code and directs victim to devicelogin URL

eviltokens-device-code

What this tier means

Warning signal — bulk / marketing / mild spam. Contributes to the trash score but is not by itself sufficient.

How Gorganizer detects this

OAuth Device Code Flow phishing (EvilTokens variant) — attacker sends a device authorization code (XXXX-XXXX) and directs victim to a legitimate device-auth URL (microsoft.com/devicelogin, github.com/login/device) to enter it. Once the victim authorizes, the attacker receives a full OAuth access token, completely bypassing FIDO2/hardware token 2FA since authentication occurs at a genuine Microsoft/GitHub URL. Surge documented in Entra ID / Azure AD tenant targeting 2025-2026. The signal fires when: (1) a device code pattern (XXXX-XXXX alphanumeric) is present AND (2) a device-auth URL is present AND (3) device-code framing context ("enter the code", "device authorization") is present AND (4) sender is NOT from microsoft.com, github.com, google.com, or slack.com. Source: GC1 R13 council #1; Secureworks CTU-MA-20230601; Microsoft MSRC device-code advisory 2025.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a warning-tier signal — bulk / marketing / mild spam. It contributes to the trash score but never triggers deletion on its own. Gorganizer requires multiple signals + a margin over the safety floor before any email is moved to trash.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started