Hundreds of orgs compromised daily in Microsoft device-code phishing attacks

April 7, 2026
aisecurityhardwareopen-source
A smartphone showing a COVID-19 health passport next to Scrabble letters spelling 'Ready to Travel'.
Photo by Leeloo The First on Pexels

The headline

It has been reported that hundreds of organizations are being compromised every day by a wave of Microsoft device-code phishing attacks that lean heavily on AI and automation. Microsoft VP of security research Tanmay Ganacharya told The Register that 10 to 15 distinct campaigns have been launching every 24 hours since mid‑March, each distributed at scale and customized to evade pattern-based detection. Alarming? Yes. Familiar? Also yes — attackers are finding fresh ways to pick the lock we thought was bolted.

How the trick works

Device-code authentication — the flow used by smart TVs, printers and other devices that can’t type a password — hands the user a short code to enter in a browser on a separate device. Convenient for users. A tempting loophole for crooks. Microsoft warns that because the browser completes authentication on a different device, the session isn’t strongly bound to the original context. So an attacker who nudges a user into entering a code can end up silently authenticated to the victim’s Microsoft 365 apps. Who needs MFA when you’ve got EvilTokens? Well, allegedly.

AI, automation and a clean escape route

It has been reported that attackers begin with reconnaissance — querying Microsoft’s GetCredentialType API to confirm active addresses in a tenant — often 10–15 days before the phishing hit. The campaigns then use AI to craft hyper‑personalized lures (invoices, RFPs, manufacturing workflows) and chain a series of redirects through compromised legitimate domains on serverless platforms like Railway, Cloudflare Workers, DigitalOcean and AWS Lambda to slip past URL scanners. The final page is designed to mimic the device‑code flow and trick victims into authorizing access. EvilTokens is allegedly being sold as a service since mid‑February and purportedly promises support for Gmail and Okta phishing pages soon.

Damage and the mood in the room

Post‑compromise activity reportedly focuses on finance personas, with automated email exfiltration and financial data theft observed — so this isn’t just vanity metrics. Microsoft describes the campaign as a significant escalation in threat actor sophistication. The emotional punch is clear: a security control that made organizations feel safer is being gamed, and the scramble to respond feels urgent. What now? Patch controls, watch for suspicious device‑code flows, and remember: convenience often arrives with a cost.

Sources: The Register