Device Code Phishing Attacks On Microsoft 365 User

Device code phishing attacks targeting Microsoft 365 environments are surging at an unprecedented rate.

Device code phishing is a novel tactic used by cybercriminals to get beyond conventional phishing defences and attack enterprise Microsoft 365 accounts.

Threat actors are leveraging genuine Microsoft authentication workflows to steal credentials without using conventional phishing pages, according to Akshay Sharma AVS Security.

Credential phishing remains a powerful tactic that enables everything from ransomware and espionage to account takeover and fraud. However, cyber threat actors have increased their skills to include device code and OAuth phishing, as organisations improve their defences against typical phishing approaches such as multifactor authentication (MFA) phishing. Criminals can utilise these strategies in conjunction with LLM-generated tools and social engineering to target a larger number of individuals with novel social engineering tactics at scale.

Why Multi-Factor Authentication Failed Akshay Sharma ?

Since 2020, red teams and, occasionally, criminals and espionage threat actors have used this device code phishing tactic to mislead someone into granting malicious software access to their enterprise email accounts. Yet popularity has grown in recent years. This new tactic, once obscure, became a phishing free-for-all with the release of criminal device-code phishing tools in autumn 2025, along with breakthroughs in attack chains fuelled by “vibe coding” resources.

Threat actors abuse the OAuth 2.0 device authorisation grant flow to compromise Microsoft 365 or other enterprise user accounts by allowing access to actor-controlled applications. While the majority of device code phishing attacks target Microsoft accounts, Akshay Sharma Kirti Nagar from AVS Security has also seen Google-themed campaigns at far lesser rates.

The researchers claimed that the increase in device-code phishing occurs at the same time as the public availability of criminal toolkits and several phishing-as-a-service (PhaaS) services.

Moreover stay tuned with latest Cyber Security Update with Cyber News Akshay Sharma .

Device Code Phishing : Findings Highlights

Device code phishing is rapidly increasing as attackers exploit official Microsoft authentication flows.

• Phishing-as-a-service (PhaaS) platforms such as EvilTokens and Tycoon 2FA are helping to scale these attacks.
• Attackers are abusing QR codes, PDFs, and OAuth device login procedures to steal Microsoft 365 authentication tokens.
• AI-powered phishing kits are reducing the technological barrier for fraudsters to conduct device code attacks.
• Device code phishing is booming across the threat environment, with new device code phishing tools popping up every week.
• The rise in device code phishing is tied to the introduction of criminal toolkits and the availability of several phishing-as-a-service (PhaaS) offerings.
• The majority of identified activity is using “vibe-coded” approaches. It’s unclear if most are duplicating and changing publicly known tools or using similar prompts to develop wholesale, virtually identical attack sequences.
• Defence is the same no matter how the tool was made and what device code tool actors are employing.

Device code phishing naturally evolves from credential phishing, adapting as individuals circumvent multifactor authentication, prompting new attacker tactics.

What Is EvilTokens, PhaaS & Vide-Coding ?

Device code phishing campaigns may include emails with URLs, attachments with URLs, or QR codes that lead to device code phishing landing pages. The code displayed is a unique device code produced for the target, and the button takes the user to https[:]//microsoft[.]com/devicelogin, which is part of Microsoft’s device code authentication flow. The target can enter this code into the legitimate Microsoft device code authentication portal, allowing the threat actor to capture authentication tokens that can be used to access the target account, including data and other services that the compromised account has access to.

One of the better-known device-code PhaaS options is EvilTokens.

EvilTokens is developed and maintained utilising “vibe coding” AI creation techniques, says AVS Security. Originally announced in February 2026 via Telegram. EvilTokens captures authentication tokens that can subsequently be used to access the target’s account and data, as well as any other services the compromised account has access to.

How the attack operates

The attack starts with a phishing email that spoofs a trusted cloud or document-sharing service, includes a device code, and directs the user to a real Microsoft verification page.

Once the victim enters the code, they unintentionally authorise the attacker’s device.

The attacker then steals OAuth access and refresh tokens, enabling continued access to Microsoft 365 services such as Outlook, Teams, and OneDrive without requiring a password or additional MFA prompts.

In its announcement, the FBI provided guidance for consumers and organisations to defend against device code phishing attacks.

Phishing services based on Telegram

Researchers recently found that EvilTokens, a phishing-as-a-service platform marketed over Telegram, provides off-the-shelf tools for launching phishing campaigns.

The service provides would-be attackers with off-the-shelf tools to launch phishing operations, such as bogus login pages, automated Microsoft API calls, and AI-generated emails.

It also includes templates for basic business notifications, such as SharePoint access requests, password expiration notices, and notifications for shared documents.

The most prevalent phishing themes in 2025 encouraged visitors to click links, scan QR codes, open attachments, or hand over personal information, according to Barracuda Networks.

AI-Enabled Device Code Phishing Campaign

The difference with this campaign is that it moves away from static, manual scripts and towards an AI-led infrastructure and end-to-end automations. This behaviour represents a considerable increase in threat actor expertise from the Storm-2372 device code phishing effort identified in February 2025. •

Advanced backend automation: The threat actors leveraged automation platforms (e.g., Railway.com) to generate thousands of unique polling nodes that were alive for brief periods of time. This allowed them to implement complex backend logic (Node.js) that was impossible with traditional signature- or pattern-based detection. The infrastructure was used from the generation of dynamic device codes to post-compromise activities end-to-end in the attack.

• Hyper-personalized lures: Generative AI was utilised to generate tailored and relevant phishing emails based on the victim’s position, including RFPs, bills, manufacturing workflows, etc. — boosting the possibility of user engagement.

• Dynamic code generation: threat actors performed code generation after the user clicked on the phishing link, thereby not letting the device code expire after 15 minutes and keeping the authentication flow active.

• Reconnaissance and persistence: While many accounts were compromised, later activity concentrated on a handful of high-value targets. Threat actors use automated enrichment techniques, such as public profile and business directory searches, to identify individuals in financial or executive positions. This enabled rapid reconnaissance, permission mapping, and the generation of malicious mailbox rules for persistence and data exfiltration.