Microsoft reports escalating AI-driven phishing campaign using OAuth device code flow to bypass MFA at scale. Over 340 organizations compromised in weeks. Learn defense strategies.
A phishing campaign targeting over 340 Microsoft 365 organizations across the U.S., Canada, Australia, New Zealand, and Germany has been active since February 19, 2026, with new cases appearing at an accelerating pace. On April 6, the Microsoft Security Blog published a detailed breakdown of the operation, which uses generative AI and full end-to-end automation to compromise business email accounts at a scale that previous device code attacks never reached. For marketing and growth teams who rely on Microsoft 365 for daily email operations, the threat is direct: stolen tokens are used for email exfiltration and persistence, often through malicious inbox rules that redirect or conceal communications.
What Makes This Attack Different
Device Code Authentication is a legitimate OAuth flow designed for devices with limited interfaces, such as smart TVs or printers. In this model, a user is presented with a short code and instructed to enter it into a browser on a separate device to complete authentication. Threat actors have abused this characteristic to bypass traditional MFA protections by decoupling authentication from the originating session.
What separates this 2026 campaign from earlier attempts is the AI layer. This campaign moves away from static, manual scripts toward an AI-driven infrastructure with multiple automations end-to-end. The critical technical innovation is dynamic code generation: in older, static phishing attempts, the threat actor would include a pre-generated code in the email, creating a narrow window for success. The targeted user had to open the email, navigate through redirects, and complete authentication all before the standard 15-minute timer lapsed. If the user opened the email even 20 minutes after it was sent, the attack would automatically fail.
Dynamic Code Generation bypasses the 15-minute expiration window by triggering code generation at the exact moment the user interacts with the phishing link, ensuring the authentication flow remains valid. Once a victim enters the code on Microsoft's legitimate login page, the attacker's session inherits the user's permissions, bypassing MFA and achieving persistent access.
Scale and Velocity of the Campaign
The numbers are stark. "Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told The Register. "Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging."
Microsoft reports escalating AI-driven phishing campaign using OAuth device code flow to bypass MFA at scale. Over 340 organizations compromised in weeks. Learn defense strategies.
A phishing campaign targeting over 340 Microsoft 365 organizations across the U.S., Canada, Australia, New Zealand, and Germany has been active since February 19, 2026, with new cases appearing at an accelerating pace. On April 6, the Microsoft Security Blog published a detailed breakdown of the operation, which uses generative AI and full end-to-end automation to compromise business email accounts at a scale that previous device code attacks never reached. For marketing and growth teams who rely on Microsoft 365 for daily email operations, the threat is direct: stolen tokens are used for email exfiltration and persistence, often through malicious inbox rules that redirect or conceal communications.
What Makes This Attack Different
Device Code Authentication is a legitimate OAuth flow designed for devices with limited interfaces, such as smart TVs or printers. In this model, a user is presented with a short code and instructed to enter it into a browser on a separate device to complete authentication. Threat actors have abused this characteristic to bypass traditional MFA protections by decoupling authentication from the originating session.
What separates this 2026 campaign from earlier attempts is the AI layer. This campaign moves away from static, manual scripts toward an AI-driven infrastructure with multiple automations end-to-end. The critical technical innovation is dynamic code generation: in older, static phishing attempts, the threat actor would include a pre-generated code in the email, creating a narrow window for success. The targeted user had to open the email, navigate through redirects, and complete authentication all before the standard 15-minute timer lapsed. If the user opened the email even 20 minutes after it was sent, the attack would automatically fail.
Dynamic Code Generation bypasses the 15-minute expiration window by triggering code generation at the exact moment the user interacts with the phishing link, ensuring the authentication flow remains valid. Once a victim enters the code on Microsoft's legitimate login page, the attacker's session inherits the user's permissions, bypassing MFA and achieving persistent access.
Scale and Velocity of the Campaign
The numbers are stark. "Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told The Register. "Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging."
No comments yet. Be the first!
No comments yet. Be the first!
Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are among the prominent sectors targeted. No vertical is off-limits. The tooling behind the campaign, EvilTokens, has been sold as a Phishing-as-a-Service kit since mid-February 2026, allowing buyers to bypass MFA and silently authenticate as the victim to the organization's Microsoft 365 applications.
According to French cybersecurity firm Sekoia, "EvilTokens provides a turnkey Microsoft device code phishing kit and a range of advanced features to conduct BEC attacks, including access weaponisation, email harvesting, reconnaissance capabilities, a built-in webmail interface, and AI-powered automation."
How Attackers Target Finance and Executive Accounts
The campaign does not treat all compromised accounts equally. A reconnaissance phase typically occurs 10 to 15 days before the actual phishing attempt is launched. Attackers then use AI to create hyper-personalized phishing emails aligned to the target's role, with themes such as requests for proposals, invoices, and manufacturing workflows.
To evade automated URL scanners and sandboxes, threat actors do not link directly to the final phishing site. Instead, they use a series of redirects through compromised legitimate domains and high-reputation serverless platforms. Microsoft observed heavy reliance on Vercel, Cloudflare Workers, and AWS Lambda to host the redirect logic. By using these domains, phishing traffic blends in with legitimate enterprise cloud traffic, preventing simple domain-blocklist triggers.
After initial compromise, in some cases the intruder registered new devices within 10 minutes to generate a Primary Refresh Token for long-term persistence. In others, they waited hours before stealing sensitive email data or creating inbox rules, for example forwarding messages with "payroll" or "invoice" in the subject line.
Post-compromise activity shows a consistent focus on finance-related personas, with automated email exfiltration observed in those accounts, Ganacharya confirmed.
Why Standard MFA Does Not Stop This
This is the part that catches most teams off guard. This attack harvests Microsoft 365 access tokens without requiring victims to enter credentials on a lookalike site, making the authentication interaction indistinguishable from genuine sign-in. Multifactor authentication provides no protection: the victim completes the MFA challenge themselves on behalf of the attacker, and the resulting refresh tokens persist even after a password reset, complicating remediation.
Unlike conventional credential harvesting, this technique routes victims through legitimate Microsoft authentication pages, making it substantially harder for security operations centers to catch the compromise in real time.
This attack represents a direct escalation from the Storm-2372 campaign Microsoft documented in February 2025, which relied on manual social engineering via messaging apps and Teams invitations. The 2026 campaign shifts to industrialized automation and AI integration across reconnaissance, lure generation, infrastructure spinning, and exploitation.
What Business Teams Should Do Now
Phishing-resistant MFA methods, specifically FIDO2 hardware keys and certificate-based authentication, do block this attack because they bind authentication to the physical device. Standard TOTP codes and push notifications do not.
Restrict device code flow in Microsoft Entra ID. Conditional Access policies can block the device code authentication flow for users who have no legitimate business need for it.
Monitor for post-compromise inbox rule creation. Microsoft Defender XDR and Entra ID Protection now include detections for anomalous device code authentication, including suspicious sign-ins and inbox rule creation combined with Graph API reconnaissance post-compromise.
Train finance and executive teams specifically. Role-specific lures referencing real workflows, actual job titles, and plausible business context are a fundamentally different category of threat from generic phishing. Standard awareness training alone is not enough.
For any organization running Microsoft 365 as its email backbone, the operational impact of a compromised inbox goes well beyond data loss. Corrupted send histories, manipulated forwarding rules, and hijacked billing threads can damage sender reputation and deliverability for months. Treating email security as an identity problem, not just a content filtering problem, is now a business-critical requirement.
Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are among the prominent sectors targeted. No vertical is off-limits. The tooling behind the campaign, EvilTokens, has been sold as a Phishing-as-a-Service kit since mid-February 2026, allowing buyers to bypass MFA and silently authenticate as the victim to the organization's Microsoft 365 applications.
According to French cybersecurity firm Sekoia, "EvilTokens provides a turnkey Microsoft device code phishing kit and a range of advanced features to conduct BEC attacks, including access weaponisation, email harvesting, reconnaissance capabilities, a built-in webmail interface, and AI-powered automation."
How Attackers Target Finance and Executive Accounts
The campaign does not treat all compromised accounts equally. A reconnaissance phase typically occurs 10 to 15 days before the actual phishing attempt is launched. Attackers then use AI to create hyper-personalized phishing emails aligned to the target's role, with themes such as requests for proposals, invoices, and manufacturing workflows.
To evade automated URL scanners and sandboxes, threat actors do not link directly to the final phishing site. Instead, they use a series of redirects through compromised legitimate domains and high-reputation serverless platforms. Microsoft observed heavy reliance on Vercel, Cloudflare Workers, and AWS Lambda to host the redirect logic. By using these domains, phishing traffic blends in with legitimate enterprise cloud traffic, preventing simple domain-blocklist triggers.
After initial compromise, in some cases the intruder registered new devices within 10 minutes to generate a Primary Refresh Token for long-term persistence. In others, they waited hours before stealing sensitive email data or creating inbox rules, for example forwarding messages with "payroll" or "invoice" in the subject line.
Post-compromise activity shows a consistent focus on finance-related personas, with automated email exfiltration observed in those accounts, Ganacharya confirmed.
Why Standard MFA Does Not Stop This
This is the part that catches most teams off guard. This attack harvests Microsoft 365 access tokens without requiring victims to enter credentials on a lookalike site, making the authentication interaction indistinguishable from genuine sign-in. Multifactor authentication provides no protection: the victim completes the MFA challenge themselves on behalf of the attacker, and the resulting refresh tokens persist even after a password reset, complicating remediation.
Unlike conventional credential harvesting, this technique routes victims through legitimate Microsoft authentication pages, making it substantially harder for security operations centers to catch the compromise in real time.
This attack represents a direct escalation from the Storm-2372 campaign Microsoft documented in February 2025, which relied on manual social engineering via messaging apps and Teams invitations. The 2026 campaign shifts to industrialized automation and AI integration across reconnaissance, lure generation, infrastructure spinning, and exploitation.
What Business Teams Should Do Now
Phishing-resistant MFA methods, specifically FIDO2 hardware keys and certificate-based authentication, do block this attack because they bind authentication to the physical device. Standard TOTP codes and push notifications do not.
Restrict device code flow in Microsoft Entra ID. Conditional Access policies can block the device code authentication flow for users who have no legitimate business need for it.
Monitor for post-compromise inbox rule creation. Microsoft Defender XDR and Entra ID Protection now include detections for anomalous device code authentication, including suspicious sign-ins and inbox rule creation combined with Graph API reconnaissance post-compromise.
Train finance and executive teams specifically. Role-specific lures referencing real workflows, actual job titles, and plausible business context are a fundamentally different category of threat from generic phishing. Standard awareness training alone is not enough.
For any organization running Microsoft 365 as its email backbone, the operational impact of a compromised inbox goes well beyond data loss. Corrupted send histories, manipulated forwarding rules, and hijacked billing threads can damage sender reputation and deliverability for months. Treating email security as an identity problem, not just a content filtering problem, is now a business-critical requirement.
