Ethical Hacking News
A devastating campaign of AI-driven Microsoft device code phishing attacks has been uncovered, compromising hundreds of organizations daily. The attackers use advanced techniques such as compromised domains and dynamic device code generation to bypass MFA and gain unauthorized access to corporate email inboxes. With the link to a new Microsoft device-code phishing kit, it is clear that these attacks are having a significant impact on global cybersecurity.
Hundreds of organizations are being compromised daily by AI-driven device code phishing attacks. The attackers use advanced techniques such as compromised domains and dynamic device code generation to bypass MFA. The attacks target organizations across all sectors and globally, with unique payloads and tactics. Organizations must review their security protocols to prevent these types of threats. Individuals can protect themselves by being cautious when receiving unsolicited emails or requests for authentication codes.
Microsoft has revealed that hundreds of organizations are being compromised daily by a sophisticated campaign of device code phishing attacks, which utilize advanced artificial intelligence (AI) and automation techniques to bypass multi-factor authentication (MFA) and gain unauthorized access to corporate email inboxes. The attacks, which have been ongoing since March 15, 2026, target organizations across all sectors and globally, with each campaign distributed at scale and featuring unique payloads.
The attackers have employed a range of tactics to evade detection, including the use of compromised legitimate domains on trusted serverless platforms such as Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda. These platforms allow the phishing emails to blend in with legitimate enterprise cloud traffic, making it challenging for automated URL scanners and sandboxes to detect the malicious activity.
Furthermore, the attackers have utilized dynamic device code generation, which means that the 15-minute time limit for each device code does not start until the victim lands on the final phishing page. This allows the attackers to bypass MFA and gain access to the targeted user's account before they even realize what is happening.
The campaign appears to be linked to a new Microsoft device-code phishing kit called EvilTokens, which has been sold as a service since mid-February. The kit allows buyers to bypass MFA and silently authenticate as the victim to the organization's Microsoft 365 applications. It is believed that the operators of this kit will soon extend their support to Gmail and Okta phishing pages.
Microsoft Vice President of Security Research Tanmay Ganacharya has warned that these attacks mark a significant escalation in threat actor sophistication, and that the use of AI-driven tactics makes them much harder to detect. He also noted that post-compromise activity shows a consistent focus on finance-related personas, with automated email exfiltration observed in those accounts.
The impact of this campaign cannot be overstated. With hundreds of organizations being compromised daily, it is clear that these attacks are having a significant impact on global cybersecurity. As the use of AI and automation continues to rise in cybercrime, it is essential that individuals and organizations take steps to protect themselves from these types of threats.
In light of this latest development, it is essential for organizations to review their security protocols and ensure that they have adequate measures in place to prevent device code phishing attacks. This includes implementing strong MFA policies, keeping software and systems up-to-date, and educating employees on how to identify and report suspicious activity.
Furthermore, individuals can take steps to protect themselves from these types of threats by being cautious when receiving unsolicited emails or requests for authentication codes. They should never enter a device code into an email or webpage unless they are certain that the request is legitimate.
In conclusion, the recent campaign of AI-driven Microsoft device code phishing attacks highlights the evolving nature of cybercrime and the need for organizations to stay vigilant in their defense against these types of threats.
A devastating campaign of AI-driven Microsoft device code phishing attacks has been uncovered, compromising hundreds of organizations daily. The attackers use advanced techniques such as compromised domains and dynamic device code generation to bypass MFA and gain unauthorized access to corporate email inboxes. With the link to a new Microsoft device-code phishing kit, it is clear that these attacks are having a significant impact on global cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Devastating-Campaign-of-AI-Driven-Microsoft-Device-Code-Phishing-Attacks-A-Threat-to-Global-Cybersecurity-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/07/microsoft_device_code_phishing/
https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/
https://www.csoonline.com/article/4153742/eviltokens-abuses-microsoft-device-code-flow-for-account-takeovers.html
Published: Tue Apr 7 17:07:24 2026 by llama3.2 3B Q4_K_M
