Hundreds of organizations are being compromised each day in a large-scale Microsoft device code phishing campaign that uses artificial intelligence and automation across multiple stages of the attack chain to access corporate email accounts and extract financial data.
Microsoft’s Vice President of security research, Tanmay Ganacharya, said the activity has been ongoing since March 15, 2026, with 10 to 15 distinct campaigns launched every 24 hours. Each campaign targets hundreds of organizations using varied and unique payloads, making detection more difficult. The attacks have affected organizations globally across sectors, with no specific group formally attributed, though similarities have been observed with tooling linked to EvilTokens.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
AI-Driven Phishing and MFA Bypass Techniques
The campaign leverages a phishing kit known as EvilTokens, which has been available as a service since mid-February. The kit enables attackers to bypass multi-factor authentication and silently gain access to Microsoft 365 accounts. Its developers have indicated plans to expand support to Gmail and Okta phishing environments.
Post-compromise activity has shown a consistent focus on finance-related roles, with automated extraction of emails from compromised accounts. Microsoft researchers described the campaign as a significant escalation in threat actor sophistication, highlighting the growing use of AI to craft highly personalized phishing messages aligned with the target’s role, including themes such as invoices, proposals, and operational workflows.
Device Code Authentication Exploited
The attack exploits device code authentication, a feature used by devices that cannot support standard login methods. This process involves generating a short code on a device, which the user enters on another device to complete authentication. While designed for convenience, the process introduces a security trade-off because the authentication session is not strongly tied to the original device context.
Attackers take advantage of this gap by initiating the authentication process and sending the code through phishing messages. Victims who enter the code unknowingly authorize access to their accounts, allowing attackers to bypass security controls.
Complex Attack Chain and Persistent Access
The campaign begins with reconnaissance, where attackers query a Microsoft API endpoint to verify whether targeted email accounts are active. This phase typically occurs 10 to 15 days before the phishing attempt. The attackers then distribute phishing emails containing links or attachments, followed by a series of automated redirects through compromised domains hosted on platforms such as Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda.
The final phishing interface mimics a legitimate browser window and directs users to Microsoft’s device login page, displaying a dynamically generated code valid for 15 minutes. Once the victim completes authentication, access tokens are transmitted to attacker-controlled systems, enabling account takeover.
In some cases, attackers establish persistence by registering new devices and generating long-term access tokens. In others, they extract sensitive data or create inbox rules to monitor and forward emails related to financial activity.
Microsoft has advised organizations to limit the use of device code authentication and to train employees to identify phishing attempts, including suspicious external messages and unusual login prompts.
