A sophisticated phishing campaign utilizing AI and automation is targeting organizations globally, exploiting Microsoft's device code authentication process to steal credentials and financial data. The campaign is characterized by its scale, personalized attacks, and evasion techniques, posing a significant threat to businesses of all sizes.
A sophisticated Microsoft device-code phishing campaign, heavily leveraging AI and automation, is compromising hundreds of organizations daily to steal sensitive data, including financial information. Microsoft 's security research team has observed 10 to 15 distinct campaigns launching every 24 hours since March 15, 2026, targeting organizations globally across various sectors.
The attacks are characterized by their scale, using highly varied and unique payloads, which makes pattern-based detection exceedingly difficult. The campaign has not been attributed to a specific threat actor, but its tooling and infrastructure share similarities with EvilToken, a phishing kit offered as a service since mid-February that enables attackers to bypass multi-factor authentication (MFA) and silently authenticate as victims within Microsoft 365 applications. The operators of EvilToken have announced plans to expand support to Gmail and Okta phishing pages in the near future. Post-compromise activity consistently focuses on finance-related personas, with automated email exfiltration observed in compromised accounts.\The attackers are exploiting a vulnerability in the device code authentication process, a feature of OAuth 2.0. This method allows users to authenticate on one device by entering a short code into a browser on a separate device. This design, while convenient, introduces a security weakness because the session initiating the request is not strongly linked to the user's original context. Attackers are taking advantage of this by initiating the device code authentication process. The initial phase involves a reconnaissance stage where the attackers use GetCredentialType, a Microsoft API endpoint, to verify the existence and activity of targeted email addresses within a tenant, often occurring 10 to 15 days before the phishing attempt. The attackers utilize AI to create hyper-personalized phishing emails that are tailored to the recipient's role, and use themes such as requests for proposals, invoices, and manufacturing workflows. These emails contain a malicious attachment or URL, but they avoid directly linking to the final phishing website. Instead, the attackers automate a series of redirects using compromised legitimate domains hosted on trusted serverless platforms such as Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda. This strategy helps to evade detection by URL scanners and sandboxes, allowing the phishing emails to blend in with legitimate enterprise cloud traffic.\The final phishing page, designed to steal the victim's credentials, mimics a legitimate browser window within a webpage, prompting users to verify their identity through a button that redirects to microsoft.com/devicelogin, displaying the device code. A critical aspect of the campaign's success is the use of dynamic device code generation. Instead of using a static, pre-generated code, the attackers generate the code at the final stage of the redirect chain. Device codes are only valid for 15 minutes. Once the victim sees the device code, the script enters a 'Polling' state to monitor the 15-minute window in real-time. The script pings the attacker's /state endpoint every 3 to 5 seconds to validate if the user has authenticated. The loop returns a 'pending' status while the user is entering the code on the real Microsoft site. This dynamic approach allows the attackers to increase the effectiveness of their campaigns by maximizing the time window available for the victim to be phished
Phishing Microsoft AI Cyberattack Multi-Factor Authentication (MFA)
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
AI-Powered Discovery: Unlocking Antimicrobial Potential in Extreme Environment MicrobesResearchers have created the Extreme Environment Microbiome Catalog (EEMC), a comprehensive resource of microbial diversity from extreme habitats. Using AI-guided screening, they identified numerous antimicrobial peptide candidates with activity against drug-resistant bacteria, offering a promising avenue for next-generation antibiotic discovery.
Read more »
Pensioner among three arrested after viable device found in Co AntrimThe three individuals were arrested at the scene
Read more »
Glenarm: Viable device found in security alertPolice received a report shortly after 10:00 BST of a suspicious device in the Feystown Road area.
Read more »
Hundreds of orgs compromised daily in Microsoft device code phishing attacks: Who needs MFA when you've got EvilTokens?
Read more »
Glenarm: Man charged after viable device found in security alertPolice received a report of a suspicious device in the Feystown Road area of Glenarm
Read more »
'Game-changing' diabetes device can predict low blood sugar levels while asleepThe CGM is the first AI driven monitor capable of predicting hypoglycaemia at night.
Read more »