Microsoft has disclosed a sophisticated device code phishing campaign that has compromised hundreds of organizations daily since March 15, employing AI for personalized lures and automation across the attack chain to infiltrate Microsoft 365 accounts and siphon financial data. The operation deploys 10 to 15 unique campaigns every 24 hours with varied payloads, complicating detection efforts across global industries.
Microsoft’s Vice President of security research Tanmay Ganacharya highlighted the campaign’s scale and innovation, noting its reliance on the EvilTokens phishing-as-a-service kit available since mid-February. This toolkit enables multi-factor authentication bypass, automated email harvesting and plans to target Gmail and Okta.
AI-Driven Phishing Evolution
Attackers use AI to craft role-specific phishing—tailored to finance teams with themes like invoices or proposals—maximising post-compromise yield through automated extraction. Reconnaissance via Microsoft API checks account activity 10-15 days pre-phish.
Dynamic code generation extends the 15-minute validity window, boosting success rates beyond traditional static attacks. Phishing leverages legitimate Microsoft flows via compromised domains on Railway, Cloudflare Workers, DigitalOcean and AWS Lambda.
Device Code Mechanics Exposed
Device code authentication suits non-browser devices but trades security for convenience, lacking tight device binding. Victims receive codes via phishing, enter them on real Microsoft pages—unknowingly authorising attacker access.
Post-authentication, tokens flow to attackers, enabling account takeover. Persistence via new device registration or long-term tokens follows, with inbox rules forwarding financial emails.
Defensive Imperatives for Enterprises
Microsoft recommends curtailing device code use, enhancing employee training on anomalous logins and external alerts. The campaign signals phishing’s AI augmentation, demanding adaptive defences beyond signature-based tools.
