Device Code Phishing Surges 40% — Hundreds Compromised Daily

Device code phishing attacks against Microsoft 365 have surged approximately 40% since mid-March, with attackers compromising hundreds of enterprise accounts every day using AI-enabled automation. The technique, which tricks users into authenticating attackers on Microsoft's legitimate login infrastructure, has evolved from targeted nation-state operations into a widespread criminal enterprise.

Hundreds of Compromises Daily

Microsoft Defender Security Research reported that 10 to 15 distinct device code phishing campaigns launch every 24 hours, distributed at scale with highly varied payloads. The campaigns target organizations across all sectors and geographies, though post-compromise activity consistently focuses on finance-related personnel.

"Hundreds of compromises occurring daily across affected environments," said Tanmay Ganacharya, Microsoft's VP of security research, describing activity since March 15, 2026.

The escalation follows a pattern we first covered when EvilTokens hit 340+ organizations across five countries in February. That campaign demonstrated the technique's viability at scale. Now criminal operators have industrialized the approach.

AI Automation Changes the Game

The critical innovation driving this surge involves AI-generated phishing lures and dynamic code generation. Traditional device code attacks suffered from a 15-minute expiration window — attackers had to hope victims clicked quickly before codes became invalid.

The new campaigns solve this problem by generating device codes on-demand when victims interact with phishing links. A checkStatus() function polls the attacker's infrastructure every 3-5 seconds, monitoring authentication completion in real-time. This eliminates timing constraints that previously limited campaign scale.

AI tools generate highly personalized emails aligned to target roles — proposals for construction firms, invoices for accounting departments, manufacturing workflows for industrial targets. According to Microsoft's analysis, attackers conduct reconnaissance 10-15 days before launching campaigns, querying Microsoft's GetCredentialType API to verify which email addresses exist within target organizations.

From Nation-State to Commodity

Device code phishing originated as a sophisticated technique employed by Russia-aligned actors including Storm-2372, APT29, and UNK_AcademicFlare. The OAuth token abuse trends we've tracked show how nation-state techniques migrate downstream to criminal groups.

Proofpoint researchers describe the current landscape bluntly: "Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week."

Multiple phishing-as-a-service platforms now offer turnkey device code capabilities. EvilTokens provides themed landing pages impersonating Microsoft, Adobe, and DocuSign, along with a "Portal Browser" tool for managing compromised accounts. The platform reportedly uses "vibe coding" AI generation techniques to build attack infrastructure rapidly.

Attack Flow and Post-Compromise Behavior

The campaigns typically begin with emails from compromised or attacker-controlled addresses, using lures like salary notifications, code of conduct reminders, or document signature requests. Victims click links that route through legitimate platforms — Cloudflare Workers, Vercel, or compromised websites — before reaching the final phishing page.

That page mimics a legitimate browser window prompting identity verification, directing users to enter a device code at Microsoft's real devicelogin page. Because victims authenticate on actual Microsoft infrastructure and complete their real MFA prompts, the attack bypasses traditional phishing protections entirely.

Within 10 minutes of successful authentication, attackers register new devices to generate Primary Refresh Tokens for persistent access. They also create email forwarding rules targeting messages containing keywords like "payroll" or "invoice" — a tactic reminiscent of the Storm-2755 payroll theft campaign that redirected employee salaries. This automated exfiltration continues even after victims realize they've been compromised.

Who Is Targeted

Between April 14-16 alone, Microsoft observed campaigns targeting over 35,000 users across 13,000 organizations in 26 countries. The United States accounted for 92% of targets, with significant activity in:

• Healthcare and life sciences (19%)
• Financial services (18%)
• Professional services (11%)
• Technology and software (11%)

The broad targeting suggests operators care less about specific victims than volume. Any organization with Microsoft 365 represents a potential revenue stream through credential theft, business email compromise, or ransomware deployment — the same financial motivation driving Iranian actors who password-sprayed 300+ organizations earlier this year.

Defending Against Device Code Phishing

Microsoft's primary recommendation involves blocking device code authentication flows through conditional access policies wherever possible. Organizations that cannot block the flow entirely should restrict it to approved users, devices, or network locations.

User awareness remains critical because the attack relies on convincing people to enter codes into trusted Microsoft pages rather than obvious fake sites. Employees should understand that legitimate device code prompts only appear when they initiate sign-in from devices they control — never from email links or unexpected requests.

For organizations already compromised, token revocation requires immediate attention. Unlike password changes, which terminate sessions, OAuth tokens remain valid until explicitly revoked. Audit token grants, implement continuous access evaluation where available, and monitor for the registration of unfamiliar devices.

Our phishing defense guide covers recognition techniques, though device code attacks present unique challenges because users interact exclusively with legitimate Microsoft infrastructure throughout the authentication flow.

Why This Matters

Device code phishing exploits a fundamental tension in modern authentication: the same OAuth flows that enable legitimate passwordless scenarios also enable attackers who obtain valid codes. MFA protections function exactly as designed — and attackers still win.

The 40% surge and hundreds of daily compromises signal that defensive measures aren't keeping pace with attacker innovation. Organizations that haven't restricted device code flows should assume it's only a matter of time before they're targeted.