Hundreds of orgs compromised daily in Microsoft device code phishing attacks

Who needs MFA when you've got EvilTokens?

by · The Register

Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.

"Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told The Register

"Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging," Ganacharya said. "We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments."

The attackers have targeted organizations across all sectors and globally, he told us. And while the phishing expedition hasn't been attributed to a particular crew, its tooling and infrastructure share similarities with EvilTokens. 

EvilTokens is a new Microsoft device-code phishing kit that has been sold as a service since mid-February, allowing buyers to bypass multi-factor authentication (MFA) and silently authenticate as the victim to the organization's Microsoft 365 applications. Its operators have promised to soon extend support to Gmail and Okta phishing pages.

While the campaign appears to target a broad swath of organizations across all industries, "post-compromise activity shows a consistent focus on finance-related personas, with automated email exfiltration observed in those accounts," Ganacharya said.

Redmond researchers detailed the device code attack in a Monday blog, and said that it "marks a significant escalation in threat actor sophistication." 

Device code authentication

Devices like smart TVs, printers, and other IoT devices that don't support a standard interactive login typically use OAuth 2.0's device code authentication. This gives users a short code on the device, and instructs them to enter that code into a browser on a separate device to complete the authentication process. This makes it easy for the user to sign in, but it comes with a security tradeoff. 

"Because authentication is completed on a separate device, the session initiating the request is not strongly bound to the user's original context," Microsoft warns.

This makes it very attractive to attackers looking to bypass multi-factor authentication (MFA) and take over users’ accounts by initiating the device code authentication process - for example, sending a code via a phishing lure, and waiting for the user to enter the code and unwittingly authorize the attacker's access to their account.

Attack chain

In this campaign, the miscreants query GetCredentialType, a Microsoft API endpoint used to determine the authentication method of a user, which allows the attackers to confirm whether a targeted email address exists and is active within the tenant. 

This reconnaissance phase is a critical precursor, typically occurring 10 to 15 days before the actual phishing attempt is launched.

The attackers then used AI to create hyper-personalized phishing emails aligned to the target's role, with themes such as requests for proposals, invoices, and manufacturing workflows. These emails include a malicious attachment or a direct URL - but the phisher folk doesn't link to the final phishing website in their initial emails.  

Instead, they automated a series of redirects using compromised legitimate domains on trusted serverless platforms including Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda. This helps the phishing emails avoid detection by automated URL scanners and sandboxes and blend in with legitimate enterprise cloud traffic.

The final phishing page - this is where the attacker ultimately steals the victim's credentials - looks like a legitimate browser window within a web page. It prompts users to verify their identity via a button, which redirects to "Microsoft.com/devicelogin" and shows the device code. 

Dynamic device codes

According to Redmond, a "pivotal element of this campaign's success" is that the digital intruders use dynamic device code generation, rather than a static phishing attempt.

These device codes are only valid for 15 minutes, so using a pre-generated code in the original phishing email creates a much smaller timeframe for the targeted user to be phished, open the email, click through various redirects, and ultimately help the attacker bypass MFA and take over the user's account.

This campaign, on the other hand, moves the code generation piece to the final stage of the redirect chain, meaning that the 15-minute time limit doesn't start until the victim lands on the final phishing page. Here's what happens once the victim sees the device code:

After presenting the code to the user and opening the legitimate microsoft.com/devicelogin URL, the script enters a "Polling" state via the checkStatus() function to monitor the 15-minute window in real-time. Every 3 to 5 seconds (setInterval), the script pings the threat actor's /state endpoint. It sends the secret session identifier code to validate whether the user has authenticated yet. While the targeted user is entering the code on the real Microsoft site, the loop returns a "pending" status.

Once the user completes the login process, the live access token is sent to the attacker-controlled computer, thus allowing the data thieves to bypass MFA and log in to the targeted account.

According to Redmond, post-compromise illicit activities depend on the attacker's specific objectives. In some cases, the intruder registered new devices within 10 minutes to generate a Primary Refresh Token (PRT) for long-term persistence. In others, they waited hours before stealing sensitive email data or creating inbox rules - for example, forwarding sensitive messages such as those with "payroll" or "invoice" in the subject.

To avoid falling victim to this type of device account phishing attack, only allow device code flow where absolutely necessary. Microsoft recommends blocking it wherever possible. 

Also, train employees on how to spot common phishing techniques, such as "[EXTERNAL]" messages containing suspicious links. "As of 2021, Microsoft Azure interactions prompt the user to confirm ("Cancel" or "Continue") that they are signing in to the app they expect, which is an option frequently missing from phishing sign-ins," Redmond notes. ®

Phish of the day: Microsoft OAuth scams abuse redirects for malware delivery: Crims hope for payday from malicious payloads rather than stealing access tokensJessica Lyons, 03 Mar 2026Lightning-fast exploits make it essential to patch fast, ask questions later: Here's where you ought to spend your security billable hours budget this yearBrandon Vigliarolo, 23 Mar 2026US cybercrime losses pass $20B for first time as AI boosts online fraud: Bots are now firmly in the toolbox, helping crooks scale old scamsBrandon Vigliarolo, 07 Apr 2026Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns: 200 orgs and 5,000 devices compromised so far in Vlad's latest intelligence grab, Microsoft reckonsConnor Jones, 07 Apr 2026