When Your MFA Becomes Their Backdoor: Inside the AI-Enabled Device Code Phishing Campaign

If you believe multi-factor authentication (MFA) makes your Microsoft 365 accounts unphishable, the latest campaign from Microsoft Defender Security Research should terrify you.

Since mid-March 2026, threat actors have been compromising hundreds of organisations daily using a technique that doesn't steal passwords, doesn't trigger traditional MFA alerts, and bypasses almost every authentication control you thought you had. The kicker? They're using artificial intelligence to scale it.

What Microsoft Found

Microsoft's security team has observed 10 to 15 distinct phishing campaigns launching every 24 hours, each targeting hundreds of organisations with unique, AI-generated payloads designed to evade pattern-based detection.

"We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments," Microsoft's VP of Security Research Tanmay Ganacharya told The Register. "Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging."

The attackers have targeted organisations across all sectors globally, with post-compromise activity showing a consistent focus on finance-related personas — automated email exfiltration from financial accounts is now standard operating procedure.

The Attack: How Device Code Phishing Works

The Legitimate Flow

Device code authentication is a real OAuth 2.0 flow designed for devices with limited interfaces — smart TVs, printers, IoT devices. The user sees a short code on one device, opens a browser on another device, enters the code at microsoft.com/devicelogin, and completes authentication.

The problem? The authentication is completed on a separate device, decoupled from the original session. This is by design for smart TVs, but it's a security nightmare when abused.

The Attack Flow

Phase 1: Reconnaissance (10-15 days before attack)

Threat actors verify whether targeted email accounts exist and are active
They use the GetCredentialType endpoint to confirm account validity
This silent reconnaissance happens without triggering any alerts

Phase 2: AI-Generated Lures

Generative AI creates hyper-personalised phishing emails
Themes include RFPs, invoices, manufacturing workflows, document access requests, electronic signing prompts, voicemail notifications
Each email is tailored to the victim's role and industry
The lures are designed to bypass email gateways and endpoint security

Phase 3: Browser-in-the-Browser Trap

The phishing page uses a "browser-in-the-browser" technique — a fake browser window inside a web page
Alternatively, it appears as a web-hosted document preview with a blurred view
A "Verify identity" button and device code are displayed
The code is often automatically copied to the user's clipboard
The page uses compromised legitimate domains and serverless platforms to evade URL scanners

Phase 4: Dynamic Code Generation

The device code is generated at the exact moment the user clicks
This bypasses the standard 15-minute expiration window
The user enters the code on the legitimate Microsoft device login page
They unknowingly authorise the attacker's session — not their own

Phase 5: Silent Authentication

The attacker receives a valid OAuth token
No password was stolen
No MFA code was intercepted
The user legitimately authenticated — just to the wrong session

The Scale: EvilTokens Phishing-as-a-Service

This isn't a single threat actor. This is a Phishing-as-a-Service (PhaaS) operation called EvilTokens, discovered by Sekoia's Threat Detection & Research team in March 2026.

What EvilTokens Provides

Feature	Impact
Turnkey phishing kit	Anyone can launch campaigns with minimal technical skill
AI-powered automation	Dynamic infrastructure, personalised lures, automated post-compromise
Email harvesting	Automated extraction of entire email inboxes
Built-in webmail interface	Attackers browse compromised accounts like webmail
Reconnaissance tools	Microsoft Graph mapping of organisational structure
Access weaponisation	Automated creation of malicious inbox rules for persistence
Telegram bot operations	Fully featured bots for campaign management
BEC automation	AI-powered business email compromise task automation

Rapid Adoption

EvilTokens went on sale in mid-February 2026 and was rapidly adopted by cybercriminals specialising in Adversary-in-the-Middle (AiTM) phishing and Business Email Compromise (BEC).

Sekoia analysts assess with high confidence that this kit will become a serious competitor in the phishing and BEC landscape given its rapid adoption, advanced capabilities, and continuous improvement.

Future Expansion

The EvilTokens operator has already announced plans to extend support to:

Gmail phishing pages
Okta phishing pages

This means the same technique will soon target Google Workspace and Okta customers too.

Why Traditional Defences Fail

Defence	Why It Fails
Multi-factor authentication (MFA)	The user legitimately authenticates. No MFA alert fires.
Password changes	The attacker has a token, not a password. Password changes don't revoke tokens.
Email security gateways	AI-generated lures are unique. Pattern-based detection fails.
URL scanners	Compromised legitimate domains and serverless platforms evade reputation checks.
Endpoint security	Browser-in-the-browser techniques bypass EDR detection.
Security awareness training	The user is entering a code on the legitimate Microsoft website.

The fundamental problem: This attack doesn't exploit a vulnerability. It exploits a feature.

Device code authentication is a legitimate OAuth flow. The user is doing exactly what the system asks them to do. The only difference is that the code was generated by an attacker, not their smart TV.

Why Mid-Market IT Teams Are Especially at Risk

1. The "MFA = Safe" Assumption

Most mid-market organisations implemented MFA and stopped there. They assume MFA blocks 99.9% of attacks. This campaign proves that's dangerously wrong.

2. Lack of Token Monitoring

Microsoft 365 tokens are invisible to most IT teams. You can't see what tokens are active, where they're being used from, or whether they're legitimate. Most organisations don't even know this is possible.

3. Limited Entra ID Expertise

Configuring conditional access policies, restricting device code flows, and monitoring token usage requires Entra ID Premium licensing and expertise that many mid-market teams don't have.

4. Finance Team Exposure

The campaign specifically targets finance personas. In mid-market organisations, finance teams often have privileged access to banking, payroll, and vendor payment systems — making them high-value targets.

What You Can Do Right Now

Immediate Actions (This Week)

1. Restrict Device Code Authentication

In Entra ID admin center, disable device code flow where it's not needed
Most organisations don't have smart TVs or printers authenticating to Microsoft 365
If you do need it, restrict to specific IP ranges or conditional access policies

2. Review Active Sign-Ins

Check Microsoft 365 admin center for sign-ins with device code flow
Look for sign-ins from unusual locations or at unusual times
Review sign-in logs for the "Device Code" authentication method

3. Audit Inbox Rules

Check for suspicious inbox rules in finance and executive mailboxes
Look for rules that forward emails to external addresses
Look for rules that automatically delete emails from specific senders

Short-Term Actions (This Month)

4. Implement Conditional Access

Require compliant devices for sign-in
Block sign-ins from high-risk locations
Require MFA registration from trusted locations only
Implement sign-in risk policies

5. Reduce Token Lifetimes

Shorten access token lifetimes to limit the window of compromise
Implement continuous access evaluation
Enable strict location enforcement for token refresh

6. Enable Advanced Monitoring

Turn on Entra ID Identity Protection (requires P2 license)
Monitor for impossible travel scenarios
Set up alerts for suspicious sign-in patterns

Strategic Actions (This Quarter)

7. Implement Zero Standing Privileges

Eliminate persistent admin access
Just-in-time access for privileged operations
Regular access reviews for all accounts

8. Security Awareness Refresher

Train users on device code authentication
Emphasise: "If you didn't initiate a sign-in on another device, don't enter a code"
Make reporting suspicious authentication attempts easy

9. Assess Phishing Resilience

Conduct regular phishing simulations that include device code scenarios
Test your email gateway against AI-generated lures
Review your incident response plan for token-based compromise

The Bottom Line

This campaign represents a fundamental shift in the phishing landscape:

AI enables scale — personalised lures at volume, unique infrastructure per campaign
MFA is bypassed — not broken, but circumvented through legitimate authentication flows
Tokens are the new credentials — and they're harder to detect and revoke than passwords
PhaaS commoditises attacks — sophisticated campaigns now available to any criminal with a subscription

For mid-market IT teams, the message is clear: MFA alone is no longer enough. You need visibility into token usage, conditional access policies that restrict authentication flows, and monitoring that catches anomalous sign-in patterns — not just failed password attempts.

The organisations that survive this threat won't be the ones with the most expensive security tools. They'll be the ones who understand that identity security now means managing tokens, sessions, and authentication flows — not just passwords.

Take the Next Step

Concerned about device code phishing in your Microsoft 365 environment? DMC offers a complimentary Identity Security Assessment for mid-market organisations. We'll help you:

Audit your Entra ID configuration for device code vulnerabilities
Review active tokens and sign-in patterns
Assess your conditional access policies
Build a roadmap to reduce your identity attack surface

[Schedule Your Free Identity Security Assessment →]