Advanced Microsoft Device Code Phishing Attacks Hit Hundreds of Org

In a concerning escalation of cyber-threat activity, hundreds of organizations are being compromised daily by a sophisticated phishing campaign leveraging Microsoft’s device code authentication mechanism. This campaign, which has been active since mid-March 2026, utilizes AI-driven automation at almost every stage of the attack chain to bypass multi-factor authentication (MFA) and gain unauthorized access to corporate email inboxes and financial data. According to Tanmay Ganacharya, VP of security research at Microsoft, the scale of these attacks is unprecedented, with 10 to 15 distinct campaigns launching every 24 hours. The attackers utilize highly varied and unique payloads for each target, which makes traditional signature-based detection ineffective. These campaigns are industry-agnostic, targeting a broad range of sectors globally, with a specific, consistent focus on exfiltrating financial data post-compromise. The infrastructure behind these attacks bears striking similarities to "EvilTokens," a phishing-as-a-service kit that has been circulating since mid-February. This kit allows malicious actors to bypass MFA by silently authenticating as the victim within Microsoft 365 applications. While the current focus is on Microsoft environments, the operators have signaled intentions to expand their reach to Gmail and Okta, indicating a broader threat to enterprise identity management. The attack chain is a masterclass in modern, automated reconnaissance. The process begins with attackers querying the Microsoft GetCredentialType API endpoint to confirm whether targeted email addresses are active within a specific tenant. This reconnaissance phase typically occurs 10 to 15 days before the phishing lure is even sent, allowing attackers to refine their approach. Using AI, the attackers generate highly personalized phishing emails tailored to the recipient's role, utilizing themes like Requests for Proposals (RFPs), invoices, and manufacturing workflows. To evade automated scanners and sandboxes, these emails do not link directly to the phishing site. Instead, they utilize a series of redirects through trusted serverless platforms such as Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda, allowing the malicious traffic to blend in with legitimate enterprise cloud activity. The final phishing page is designed to perfectly mimic a legitimate Microsoft browser window. It prompts the user to verify their identity, redirecting them to the official microsoft.com/devicelogin URL. The "pivotal element" of the campaign’s success is the use of dynamic device code generation. The 15-minute validity window for these codes only begins once the victim lands on the final phishing page, effectively neutralizing the time-pressure defense. Once the victim enters the device code, the attackers initiate a polling script via the checkStatus() function. This script pings the attacker’s command-and-control server every 3 to 5 seconds to validate whether the user has authenticated. As soon as the victim completes the login process on the official site, the live access token is sent to the attacker, granting them full, MFA-bypassed access to the account. Post-compromise, the attackers move quickly to establish persistence. In many cases, they register new devices within 10 minutes to generate a Primary Refresh Token (PRT). Others may wait hours to carefully harvest sensitive email data or set up malicious inbox rules to forward messages containing keywords like "payroll" or "invoice" directly to their own servers. Microsoft recommends that organizations strictly limit the use of device code flow to scenarios where it is absolutely necessary, advocating for it to be blocked wherever possible. Furthermore, employee training remains a critical defense, focusing on identifying signs of phishing, such as unexpected external links. As the threat landscape evolves, the intersection of AI, automation, and identity-based attacks requires a zero-trust approach to security.