Microsoft details an AI-enabled device code phishing campaign against organizational accounts
Original: Inside an AI‑enabled device code phishing campaign View original →
Microsoft Defender Security Research on April 6, 2026 disclosed a widespread phishing campaign that abuses the OAuth device code authentication flow to compromise organizational accounts at scale. Microsoft says the campaign stands out from earlier device code attacks because it uses AI-driven infrastructure and automation end to end, which increases the odds that victims complete the flow before the short-lived code expires.
In the Microsoft description, the attack begins with reconnaissance and convincing lures such as document access, e-signing, or voicemail prompts. When a target clicks, a malicious page generates a live device code in real time, redirects the victim to the legitimate microsoft.com/devicelogin page, and sometimes copies the code to the victim’s clipboard to reduce friction. Once the user completes the flow, the attacker receives a live access token without stealing the password directly, because the legitimate device code flow has been misused.
- Dynamic device code generation starts the 15-minute window only after the victim clicks.
- Short-lived backend nodes on services such as Railway.com help the campaign scale and avoid simple pattern detection.
- Microsoft links the activity to the rise of EvilTokens, a phishing-as-a-service toolkit tied to device code abuse.
The research matters because it shows how attackers are layering automation on top of trusted cloud workflows rather than simply cloning log-in pages. The phishing page, token polling infrastructure, clipboard tricks, and post-authentication actions work together as a coordinated system. That raises the bar for defenders, since blocking a malicious domain alone is no longer enough when the final sign-in happens on a real Microsoft URL.
Microsoft’s mitigation guidance is practical: block device code flow wherever possible, restrict it with Conditional Access where it is needed, train users to verify what application they are authorizing, and revoke refresh tokens quickly when abuse is suspected. For enterprises, the report is a reminder that identity workflows built for convenience can become high-value attack surfaces once automation makes them scalable.
Related Articles
Microsoft said Microsoft 365 E7: The Frontier Suite will reach general availability on May 1 for $99 per user, bundling Copilot, Agent 365, and security controls. The company also set May 1 GA for Agent 365 at $15 per user and emphasized Claude and next-gen OpenAI model access inside Copilot.
A Hacker News thread amplified Nicholas Carlini's report that Claude Code helped uncover remotely exploitable Linux kernel bugs, including one introduced in 2003. The case suggests frontier coding models are becoming useful vulnerability discovery tools even before they become strong automated exploit builders.
Microsoft said it will invest more than US$1 billion in Thailand’s cloud and AI infrastructure from 2026 to 2028. The company paired the infrastructure commitment with regulatory engagement, an e-commerce generative AI feasibility study, and workforce and startup collaboration.
Comments (0)
No comments yet. Be the first to comment!