• Home
  • cyber
  • Microsoft: Inside an AI‑enabled device code phishing campaign
cyber Cyber Attack

Microsoft: Inside an AI‑enabled device code phishing campaign

Apr 6, 2026 3 min read
Microsoft: Inside an AI‑enabled device code phishing campaign

Microsoft Uncovers Large-Scale Phishing Campaign Abusing Device Code Authentication

Microsoft Defender Security Research has identified a sophisticated phishing campaign exploiting Device Code Authentication to compromise organizational accounts at scale. Unlike traditional attacks, this operation leverages automation, AI-driven lures, and dynamic code generation to bypass security controls, marking a significant escalation in threat actor sophistication.

Key Attack Mechanics

  1. EvilToken Phishing-as-a-Service (PhaaS)
    The campaign is powered by EvilToken, a toolkit enabling large-scale device code abuse. Threat actors used automated backend infrastructure (e.g., Railway.com, Node.js) to spin up thousands of short-lived polling nodes, evading signature-based detection.

  2. AI-Poweralized Phishing Lures
    Generative AI crafted hyper-personalized emails tailored to victims’ roles, using themes like RFPs, invoices, and manufacturing workflows to increase engagement. Redirects via Vercel, Cloudflare Workers, and AWS Lambda helped bypass email gateways.

  3. Dynamic Device Code Bypass
    To circumvent the 15-minute expiration window for device codes, attackers triggered code generation only when users clicked phishing links, ensuring the authentication flow remained valid. Clipboard hijacking further streamlined the process by auto-copying codes for victims.

  4. Post-Compromise Reconnaissance
    After gaining access, threat actors mapped organizational structures via Microsoft Graph, prioritizing financial and executive targets. Persistence was maintained through malicious inbox rules and Primary Refresh Tokens (PRTs), enabling long-term access and data exfiltration.

Attack Chain Breakdown

  • Phase 1 (Reconnaissance): Threat actors validated target accounts using Microsoft’s GetCredentialType endpoint before launching phishing attempts.
  • Phase 2 (Initial Access): Victims interacted with malicious links or attachments, leading to browser-in-the-browser (BitB) phishing pages impersonating Microsoft’s device login portal.
  • Phase 3 (Dynamic Code Generation): Real-time scripts generated device codes upon user interaction, ensuring a live 15-minute window.
  • Phase 4 (Exploitation): Victims unknowingly authenticated attacker sessions, granting access without password theft.
  • Phase 5 (Persistence): Attackers registered devices, created inbox rules, and exfiltrated emails, focusing on high-value targets.

Infrastructure & Evasion Tactics

  • Domain Shadowing: Attackers used brand-impersonating subdomains (e.g., graph-microsoft[.]com) to bypass reputation filters.
  • Legitimate Cloud Abuse: Platforms like Railway.com, Cloudflare, and DigitalOcean hosted malicious scripts, blending with legitimate traffic.
  • Token-Based Persistence: Stolen tokens enabled lateral movement and email exfiltration while evading MFA.

Impact & Detection

The campaign highlights the growing abuse of OAuth device code flows, which bypass traditional MFA by decoupling authentication from the originating session. Microsoft Defender XDR and Entra ID Protection now include detections for anomalous device code authentication, including:

  • Suspicious sign-ins from threat actor IP ranges (e.g., 160.220.232.0).
  • Inbox rule creation and Graph API reconnaissance post-compromise.

This attack underscores the need for phishing-resistant MFA (e.g., FIDO tokens) and conditional access policies to mitigate device code abuse.

Source: https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/

Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence

"id": "MIC1775536320",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Organizations'}],
 'attack_vector': 'Device Code Authentication Abuse',
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (PII, financial targets, '
                                        'executive communications)',
                 'type_of_data_compromised': ['Organizational emails',
                                              'Microsoft Graph data',
                                              'Account credentials']},
 'description': 'Microsoft Defender Security Research identified a '
                'sophisticated phishing campaign exploiting Device Code '
                'Authentication to compromise organizational accounts at '
                'scale. The campaign leverages automation, AI-driven lures, '
                'and dynamic code generation to bypass security controls.',
 'impact': {'data_compromised': 'Organizational account credentials, emails, '
                                'Microsoft Graph data',
            'identity_theft_risk': 'High (account takeover, PII exposure)',
            'operational_impact': 'Unauthorized access to organizational '
                                  'accounts, data exfiltration, lateral '
                                  'movement',
            'systems_affected': 'Microsoft Entra ID (Azure AD), Microsoft 365 '
                                'accounts'},
 'initial_access_broker': {'backdoors_established': 'Malicious inbox rules, '
                                                    'Primary Refresh Tokens '
                                                    '(PRTs)',
                           'entry_point': 'Phishing emails with AI-crafted '
                                          'lures (RFPs, invoices, '
                                          'manufacturing workflows)',
                           'high_value_targets': ['Financial targets',
                                                  'Executives'],
                           'reconnaissance_period': 'Pre-phishing account '
                                                    'validation via '
                                                    'Microsoft’s '
                                                    'GetCredentialType '
                                                    'endpoint'},
 'lessons_learned': 'The campaign highlights the growing abuse of OAuth device '
                    'code flows, which bypass traditional MFA by decoupling '
                    'authentication from the originating session. '
                    'Organizations should implement phishing-resistant MFA and '
                    'conditional access policies.',
 'post_incident_analysis': {'corrective_actions': ['Implement '
                                                   'phishing-resistant MFA',
                                                   'Enforce conditional access '
                                                   'policies',
                                                   'Monitor for anomalous '
                                                   'device code '
                                                   'authentication'],
                            'root_causes': ['Exploitation of OAuth device code '
                                            'flow',
                                            'Lack of phishing-resistant MFA',
                                            'Abuse of legitimate cloud '
                                            'platforms for malicious '
                                            'infrastructure']},
 'recommendations': ['Adopt phishing-resistant MFA (e.g., FIDO tokens)',
                     'Enforce conditional access policies to mitigate device '
                     'code abuse',
                     'Monitor for anomalous device code authentication and '
                     'Graph API reconnaissance'],
 'references': [{'source': 'Microsoft Defender Security Research'}],
 'response': {'containment_measures': 'Detections for anomalous device code '
                                      'authentication in Microsoft Defender '
                                      'XDR and Entra ID Protection',
              'enhanced_monitoring': 'Suspicious sign-in detection from threat '
                                     'actor IP ranges (e.g., 160.220.232.0)',
              'remediation_measures': 'Phishing-resistant MFA (e.g., FIDO '
                                      'tokens), conditional access policies'},
 'title': 'Microsoft Uncovers Large-Scale Phishing Campaign Abusing Device '
          'Code Authentication',
 'type': 'Phishing',
 'vulnerability_exploited': 'OAuth Device Code Flow'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.