Microsoft — AI-enabled device code phishing campaign bypasses MFA at scale (April 2026)
Microsoft — AI-enabled device code phishing campaign bypasses MFA at scale (April 2026)
AI relevance: Microsoft Defender researchers documented a phishing-as-a-service (PhaaS) operation — EvilTokens — that uses generative AI end-to-end: dynamic code generation at interaction time to defeat device code expiration, AI-crafted role-specific lures, and automated post-compromise enrichment — representing a step-change in AI-assisted identity attacks that bypass MFA without needing passwords.
- Microsoft Defender Security Research published findings on a widespread device code phishing campaign that represents a significant escalation from the Storm-2372 operation observed in February 2025
- Dynamic code generation — threat actors trigger device code generation at the exact moment the victim clicks the phishing link, bypassing the standard 15-minute expiration window that previously limited device code attacks
- AI-generated hyper-personalized lures — generative AI creates targeted phishing emails aligned to the victim's role, with themes including RFPs, invoices, and manufacturing workflows, increasing click-through rates
- Serverless phishing infrastructure — attackers use Railway.com to spin up thousands of unique, short-lived polling nodes running Node.js, evading signature-based detection and blending phishing traffic with legitimate Vercel, Cloudflare Workers, and AWS Lambda traffic
- Automated recon pipeline — the GetCredentialType endpoint is queried 10-15 days before attacks to validate active accounts; post-compromise, automated enrichment via Microsoft Graph maps organizational structure to identify high-value financial and executive targets
- Post-compromise persistence — stolen tokens are used to create malicious inbox rules that redirect or conceal communications, enabling long-term access while tokens remain valid
- The campaign uses multi-stage redirects through compromised legitimate domains before reaching the final phishing site, evading automated URL scanners and sandbox analysis
- EvilTokens operates as a PhaaS toolkit, lowering the barrier for less sophisticated actors to run AI-powered identity attacks at scale
Why It Matters
Device code attacks have historically been narrow in scope and limited by the 15-minute code expiration window. This campaign eliminates that constraint through AI-driven dynamic code generation and automated infrastructure provisioning. The use of generative AI for both the lure creation (role-specific, contextually relevant content) and the operational infrastructure (dynamic node provisioning, automated target enrichment) marks a transition from AI as a research curiosity to AI as a core component of attacker toolchains. For AI/agent operators specifically, this is relevant because compromised OAuth tokens from such campaigns can be used to access AI platform APIs, MCP-connected services, and cloud-hosted agent infrastructure — any service that accepts the stolen bearer token.
What To Do
- Restrict device code flow — use Conditional Access policies to block or restrict the device code authentication flow for users who don't need it (most enterprise users don't)
- Monitor for anomalous device code activity — alert on unusual volumes of device code requests, especially from new or unregistered client applications
- Review inbox rules regularly — malicious inbox rules are the primary persistence mechanism; audit for rules that forward, delete, or redirect messages
- Enforce token lifetime policies — shorter token lifetimes reduce the window for post-compromise activity
- Deploy phishing-resistant MFA — FIDO2 security keys and certificate-based authentication are not vulnerable to device code phishing
- Monitor Microsoft Graph API access patterns — look for unusual organizational directory enumeration or bulk permission mapping after any suspected compromise
Sources: