Microsoft security researchers have identified a large-scale phishing campaign abusing device code authentication to compromise enterprise accounts.
According to a new advisory published by the Microsoft Defender Security Research Team on April 6, the campaign relies on the legitimate OAuth device authorization flow to trick users into authorizing attacker-controlled sessions. The campaign has affected 340+ organizations across five countries, including US, Canada, Australia, NZ, and Germany.
Unlike traditional phishing, this method does not require password theft, instead relying on victims entering a valid device code into an official login portal.
The activity is linked to a Phishing-as-a-Service (PhaaS) toolkit known as EvilTokens, which makes it possible for attackers to expand operations substantially through automation and dynamically expanding infrastructure. By late March, there were over 1,000 domains which hosted EvilTokens pages.
Attackers were observed deploying personalized emails, usually themed around invoices, requests for proposal, or shared documents, crafted using AI-based tools to increase engagement.
Once a user had clicked a malicious link, they were routed through legitimate cloud services before landing on a spoofed interface that initiates the device code flow.
Exploiting Dynamic Device Code Generation
Microsoft highlighted that a new threat in this campaign is dynamic device code generation. Instead of embedding static codes that expire within 15 minutes, attackers generated codes in real-time when a victim interacted with the phishing page. This keeps the authentication window active and increases the success rates of attacks.
“This campaign is distinct because it moves away from static, manual scripts toward an AI-driven infrastructure and multiple automations end-to-end,” Microsoft explained. “This activity marks a significant escalation in threat actor sophistication since the Storm-2372 device code phishing campaign observed in February 2025.”
Behind the scenes, attackers used automated backend infrastructure hosted on serverless cloud environments like Vercel, Cloudflare Workers, and AWS Lambda, which are used to generate and later validate tokens at scale.
Once authentication was completed, attackers were able to gain token access they used to access email data, establish persistence through inbox rules, and conduct reconnaissance via Microsoft Graph APIs.
Microsoft reported that observed post-compromise activity is often focused on high-value targets, such as finance and executive roles, identified through automated profiling of company data.
To reduce risk, Microsoft recommended restricting device code authentication, deploying conditional access policies, and enforcing phishing-resistant MFA.
For security leaders, the more pressing question is whether device code authentication is enabled across their Microsoft 365 tenants and whether it needs to be. Most organizations have never evaluated it as a risk vector. Microsoft’s advisory recommends restricting it to trusted devices and locations via Conditional Access, and disabling it entirely for users who have no legitimate need for it.
