ACCORDING to Microsoft Defender Security Research Team, a widespread phishing campaign has been observed that leverages the Device Code Authentication flow to compromise organisational accounts at scale. The attack stands out from traditional device code abuse by using an AI‑driven infrastructure and automation to generate thousands of dynamic, short‑lived device codes that circumvent the standard 15‑minute expiry window.
The researchers link the operation to EvilToken, a Phishing‑as‑a‑Service toolkit identified as a key driver of large‑scale device code abuse, and note a shift from static scripts to automated back‑end, multi‑stage workflows hosted on platforms such as Railway[.]com, Cloudflare Workers and AWS Lambda.
The campaign also features hyper‑personalized lures and dynamic code generation to keep the authentication flow valid, followed by post‑compromise activity including token exfiltration, inbox rules and Graph reconnaissance. Mitigations include blocking device code flow where possible, user education on phishing, and safeguards like Safe Links, MFA where feasible, and token revocation if device code phishing is suspected.