Microsoft Issues Warning on Rising Daily Code Phishing Attacks on Devices

Post Views: 5

Daily Breaches in Device Code Phishing Campaign Uncovered

A large-scale phishing campaign has been targeting hundreds of organizations worldwide, compromising corporate accounts and sensitive financial data through a sophisticated exploitation of Microsoft device code authentication.

The Campaign Details

The campaign, which began on March 15, 2026, utilizes artificial intelligence and automation across its attack chain to evade detection and achieve its objectives.

According to Microsoft’s Vice President of Security Research, Tanmay Ganacharya, the campaign has resulted in 10 to 15 distinct campaigns per day, each targeting hundreds of organizations.

The attacks have been observed globally, affecting various sectors without any specific group being formally attributed. However, similarities have been noted with tooling linked to EvilTokens, a phishing kit available as a service since mid-February.

The Attack Chain

The campaign leverages a phishing kit that enables attackers to bypass multi-factor authentication and silently gain access to Microsoft 365 accounts.
Developers behind the kit have expressed intentions to expand support to other email services, including Gmail and Okta.
Following successful compromises, attackers consistently focus on finance-related roles, extracting emails from compromised accounts through automated processes.

Researchers at Microsoft describe the campaign as a significant escalation in threat actor sophistication, highlighting the increasing use of AI to craft highly personalized phishing messages tailored to the target’s role.

Device Code Authentication Vulnerability

Device code authentication, a feature designed for convenience, introduces a security trade-off by not strongly tying the authentication session to the original device context.

Attackers exploit this vulnerability by initiating the authentication process and sending the code through phishing messages, thereby bypassing security controls.

Recommendations

Microsoft has advised organizations to limit the use of device code authentication and to educate employees on identifying phishing attempts, including suspicious external messages and unusual login prompts.

This campaign serves as a reminder of the importance of staying vigilant against evolving threats and taking proactive measures to protect against phishing attacks.