Mon, 6 Jul
34°C

New Delhi

Partly Cloudy
Feels Like
38°C
Humidity
62%
Wind Speed
14 km/h
Visibility
8 km
UV Index
8 (Moderate)
Pressure
1008 hPa
Hourly Forecast
12:00
34°C
20%
13:00
34°C
25%
14:00
33°C
30%
15:00
33°C
35%
16:00
32°C
40%
17:00
32°C
45%
7-Day Forecast
Today
Partly Cloudy
26°C
35°C
Mon
Partly Cloudy
26°C
35°C
Tue
Partly Cloudy
26°C
35°C
Wed
Partly Cloudy
26°C
34°C
Thu
Partly Cloudy
27°C
34°C
Fri
Partly Cloudy
27°C
34°C
Sat
Partly Cloudy
27°C
33°C
Daily News Insights LogoDaily News Insights Logo
BREAKING
Daily News Insights: AI-Powered News Platform — Updated On DemandBreaking coverage from India and the world, synthesized by Gemini 1.5 FlashLive pipeline: Firecrawl extraction • Supabase storage • Upstash caching
Home/Tech

Sneaky Device Code Phishing Campaigns Hijack Microsoft Accounts via Legitimate Flows

DNI
Daily News Insights Editorial Desk
MONDAY, 6 JULY 2026 AT 06:31 PM·4 MIN READ
Sneaky Device Code Phishing Campaigns Hijack Microsoft Accounts via Legitimate Flows
Openverse
IMAGE: DAILY NEWS INSIGHTS / NEWS DATA LABS

DNI SUMMARY — KEY POINTS

  • Cybercriminals are increasingly deploying advanced device code phishing attacks that bypass traditional credential theft by abusing the legitimate OAuth 2.0 authorization flow.
  • The surge in malicious activity has been significantly bolstered by the emergence of EvilTokens, a sophisticated phishing-as-a-service toolkit sold on platforms like Telegram.
  • Victims are tricked into authorizing attacker-controlled sessions on authentic Microsoft login pages, effectively granting hackers full access to sensitive enterprise and organizational data.
  • Security researchers from firms like Microsoft and Proofpoint warn that this method allows attackers to maintain persistence even after users perform password resets.
  • Organizations are urged to implement more robust identity verification measures and educate employees on the dangers of entering unknown device codes into browser prompts.
IN-DEPTH ANALYSIS
TechBusinessScience

Cybersecurity experts have identified a growing wave of sophisticated phishing campaigns that fundamentally alter the landscape of enterprise account compromise. Rather than relying on crudely designed fake websites to steal passwords, attackers are exploiting the OAuth 2.0 device authorization grant flow. This legitimate authentication process, designed to streamline logins for hardware like smart televisions and printers, is being weaponized to grant unauthorized access to Microsoft 365 environments. By directing victims to the official Microsoft portal, attackers successfully circumvent traditional credential harvesting methods and evade many conventional security filters, marking a troubling evolution in identity takeover techniques.

Exploiting Trusted Authentication Flows

The mechanics of these attacks rely on social engineering rather than technical exploits of the platform itself. An attacker initiates the authorization flow by requesting a device code, which is then presented to a victim through a carefully crafted email lure. The victim, believing they are performing a standard verification task for a document or voicemail, enters the code into a genuine Microsoft domain. Once the victim completes their multi-factor authentication, the legitimate platform unwittingly issues a set of access tokens. These tokens belong to the session initiated by the attacker, granting them immediate, persistent entry to the victim’s professional email and cloud storage.

The emergence of EvilTokens, a prominent phishing-as-a-service (PhaaS) platform, has catalyzed the rapid scaling of these attacks across international borders. Available through encrypted messaging channels, this toolkit provides criminals with everything needed to execute highly automated campaigns. It facilitates dynamic code generation, email harvesting, and persistent reconnaissance against targeted organizations. Since its appearance in early 2026, researchers have observed its use in thousands of attacks spanning the United States, Australia, and parts of Europe, proving that professional-grade cybercrime infrastructure is now easily accessible to a wide variety of threat actors.

Barracuda analysts detected more than 7 million device code phishing attacks over a single month period.

Automation Powers Malicious Infrastructure

Sophistication levels in these campaigns have reached new heights through the integration of AI-driven automation. Security teams report that threat actors are no longer using static, manual scripts but are instead deploying dynamic infrastructures that bypass standard security windows. By utilizing cloud-based redirects and serverless hosting platforms, attackers can quickly rotate their malicious infrastructure to avoid detection by automated URL scanners. This persistent adaptability ensures that the phishing campaigns remain live and effective for longer durations, significantly increasing the risk to enterprise networks that rely solely on perimeter-based security solutions.

The target profile for these campaigns is remarkably broad, encompassing government entities, financial services, manufacturing, and non-profit organizations. Attackers conduct extensive reconnaissance phases, often lasting up to two weeks, to verify that their targeted accounts are active before launching the phishing attempt. Once inside a network, the threat actors immediately focus on maintaining persistence and extracting data. Common post-compromise tactics include the creation of malicious inbox rules designed to conceal communications and the use of the Microsoft Graph to map sensitive internal structures for lateral movement.

Persistent Threats After Initial Breach

Defense remains challenging because the attack occurs within the trusted boundaries of the user's own identity provider. Traditional advice, such as checking a website's domain name, proves useless here because the victim is physically interacting with a legitimate login.microsoftonline.com address. Because the authentication process occurs on a separate device from the one requesting access, the session context is effectively decoupled. This leaves organizations struggling to detect when a seemingly routine login has been hijacked, necessitating a shift toward behavioral analytics and more granular access control policies rather than simple credential monitoring.

Stolen access tokens remain valid and functional even after a victim updates their account password.

Historical data from major cybersecurity firms indicates a significant escalation in this threat vector over the past year. Analysts at Barracuda Networks reported detecting millions of these attempts in short, intense bursts, highlighting the sheer volume of traffic these automated toolkits can generate. These attacks represent a transition from individual opportunistic crime to a highly structured, industrial-scale assault on corporate identity platforms. The persistence of these access tokens, which remain functional even after a user changes their password, represents a major headache for incident response teams working to mitigate the fallout of such breaches.

Addressing New Identity Risks

Moving forward, organizations must prioritize comprehensive security training that addresses the specific nuances of modern OAuth-based authorization. Employees must be warned that entering a short code into any interface—regardless of its authenticity—is a high-risk action that can bypass robust security measures like two-factor authentication. While security vendors are updating their threat models to identify the signatures of these PhaaS toolkits, human oversight remains the last line of defense. The era of password-only security is over, and the rise of token-based hijacking demands a more cautious approach to digital identity management across all sectors.

KEY TAKEAWAYS

The EvilTokens phishing-as-a-service kit has been observed targeting over 340 organizations across five countries.

Device code phishing leverages legitimate Microsoft infrastructure to bypass standard two-factor authentication security controls.

How do you feel about this story?

Share This Story

Choose a platform to share this article