Sneaky Device Code Phishing Campaigns Hijack Microsoft Accounts via Legitimate Flows
DNI SUMMARY — KEY POINTS
- Cybercriminals are increasingly deploying advanced device code phishing attacks that bypass traditional credential theft by abusing the legitimate OAuth 2.0 authorization flow.
- The surge in malicious activity has been significantly bolstered by the emergence of EvilTokens, a sophisticated phishing-as-a-service toolkit sold on platforms like Telegram.
- Victims are tricked into authorizing attacker-controlled sessions on authentic Microsoft login pages, effectively granting hackers full access to sensitive enterprise and organizational data.
- Security researchers from firms like Microsoft and Proofpoint warn that this method allows attackers to maintain persistence even after users perform password resets.
- Organizations are urged to implement more robust identity verification measures and educate employees on the dangers of entering unknown device codes into browser prompts.
Cybersecurity experts have identified a growing wave of sophisticated phishing campaigns that fundamentally alter the landscape of enterprise account compromise. Rather than relying on crudely designed fake websites to steal passwords, attackers are exploiting the OAuth 2.0 device authorization grant flow. This legitimate authentication process, designed to streamline logins for hardware like smart televisions and printers, is being weaponized to grant unauthorized access to Microsoft 365 environments. By directing victims to the official Microsoft portal, attackers successfully circumvent traditional credential harvesting methods and evade many conventional security filters, marking a troubling evolution in identity takeover techniques.
Exploiting Trusted Authentication Flows
The mechanics of these attacks rely on social engineering rather than technical exploits of the platform itself. An attacker initiates the authorization flow by requesting a device code, which is then presented to a victim through a carefully crafted email lure. The victim, believing they are performing a standard verification task for a document or voicemail, enters the code into a genuine Microsoft domain. Once the victim completes their multi-factor authentication, the legitimate platform unwittingly issues a set of access tokens. These tokens belong to the session initiated by the attacker, granting them immediate, persistent entry to the victim’s professional email and cloud storage.
The emergence of EvilTokens, a prominent phishing-as-a-service (PhaaS) platform, has catalyzed the rapid scaling of these attacks across international borders. Available through encrypted messaging channels, this toolkit provides criminals with everything needed to execute highly automated campaigns. It facilitates dynamic code generation, email harvesting, and persistent reconnaissance against targeted organizations. Since its appearance in early 2026, researchers have observed its use in thousands of attacks spanning the United States, Australia, and parts of Europe, proving that professional-grade cybercrime infrastructure is now easily accessible to a wide variety of threat actors.
Barracuda analysts detected more than 7 million device code phishing attacks over a single month period.
Automation Powers Malicious Infrastructure
Sophistication levels in these campaigns have reached new heights through the integration of AI-driven automation. Security teams report that threat actors are no longer using static, manual scripts but are instead deploying dynamic infrastructures that bypass standard security windows. By utilizing cloud-based redirects and serverless hosting platforms, attackers can quickly rotate their malicious infrastructure to avoid detection by automated URL scanners. This persistent adaptability ensures that the phishing campaigns remain live and effective for longer durations, significantly increasing the risk to enterprise networks that rely solely on perimeter-based security solutions.
The target profile for these campaigns is remarkably broad, encompassing government entities, financial services, manufacturing, and non-profit organizations. Attackers conduct extensive reconnaissance phases, often lasting up to two weeks, to verify that their targeted accounts are active before launching the phishing attempt. Once inside a network, the threat actors immediately focus on maintaining persistence and extracting data. Common post-compromise tactics include the creation of malicious inbox rules designed to conceal communications and the use of the Microsoft Graph to map sensitive internal structures for lateral movement.
Persistent Threats After Initial Breach
Defense remains challenging because the attack occurs within the trusted boundaries of the user's own identity provider. Traditional advice, such as checking a website's domain name, proves useless here because the victim is physically interacting with a legitimate login.microsoftonline.com address. Because the authentication process occurs on a separate device from the one requesting access, the session context is effectively decoupled. This leaves organizations struggling to detect when a seemingly routine login has been hijacked, necessitating a shift toward behavioral analytics and more granular access control policies rather than simple credential monitoring.
Stolen access tokens remain valid and functional even after a victim updates their account password.
Historical data from major cybersecurity firms indicates a significant escalation in this threat vector over the past year. Analysts at Barracuda Networks reported detecting millions of these attempts in short, intense bursts, highlighting the sheer volume of traffic these automated toolkits can generate. These attacks represent a transition from individual opportunistic crime to a highly structured, industrial-scale assault on corporate identity platforms. The persistence of these access tokens, which remain functional even after a user changes their password, represents a major headache for incident response teams working to mitigate the fallout of such breaches.
Addressing New Identity Risks
Moving forward, organizations must prioritize comprehensive security training that addresses the specific nuances of modern OAuth-based authorization. Employees must be warned that entering a short code into any interface—regardless of its authenticity—is a high-risk action that can bypass robust security measures like two-factor authentication. While security vendors are updating their threat models to identify the signatures of these PhaaS toolkits, human oversight remains the last line of defense. The era of password-only security is over, and the rise of token-based hijacking demands a more cautious approach to digital identity management across all sectors.
KEY TAKEAWAYS
The EvilTokens phishing-as-a-service kit has been observed targeting over 340 organizations across five countries.
Device code phishing leverages legitimate Microsoft infrastructure to bypass standard two-factor authentication security controls.


