Device Code Phishing: AI-Driven Campaign Escalates

Introduction

Microsoft has disclosed a major evolution in device code phishing, showing how attackers are combining generative AI, automation, and cloud-hosted infrastructure to compromise Microsoft accounts at scale. For security teams and Microsoft 365 administrators, this matters because the campaign targets legitimate authentication flows rather than stealing passwords directly, making it harder to detect with traditional controls.

What’s new in this campaign

According to Microsoft Defender Security Research, the activity builds on earlier device code phishing tradecraft but adds several important advances:

• AI-enabled phishing lures: Attackers used generative AI to create highly personalized emails tied to job roles and business scenarios such as invoices, RFPs, and manufacturing workflows.
• Dynamic device code generation: Instead of relying on pre-generated codes that expire in 15 minutes, the device code is created only when the user clicks the phishing link.
• Automated cloud infrastructure: Threat actors used platforms such as Railway, Vercel, Cloudflare Workers, and AWS Lambda to deploy short-lived infrastructure and redirect chains.
• Blended-in traffic: Redirects through trusted cloud services help the activity avoid simple blocklists and reputation-based defenses.
• Post-compromise token abuse: Once a victim completes the device login flow, attackers use the token for email exfiltration, inbox rule creation, and Microsoft Graph reconnaissance.

Why this is different

Traditional phishing usually tries to capture credentials. In this case, the attacker tricks the user into approving a legitimate Microsoft device login session that the attacker initiated. Because the authentication happens on Microsoft’s real device login page, users may be less suspicious, and MFA can be less effective if the session is not strongly bound to the original context.

Microsoft also links this trend to EvilToken, a phishing-as-a-service toolkit driving broader device code abuse. The use of automation and AI marks a significant step up from the Storm-2372 campaign documented in 2025.

Impact on IT administrators

Security and identity teams should expect:

• More convincing phishing emails targeting high-value users
• Increased abuse of legitimate OAuth and Microsoft sign-in flows
• Token-based compromise without password theft
• Persistence through malicious inbox rules and hidden mail redirection
• Reconnaissance against organizational structure via Microsoft Graph

Recommended actions

Administrators should review Microsoft’s mitigation guidance and prioritize:

• Monitoring for suspicious device code authentication activity
• Investigating unexpected inbox rules and token-based access patterns
• Hardening conditional access and sign-in risk policies where possible
• Training users to treat unsolicited device login prompts as suspicious
• Hunting for suspicious redirects, impersonation domains, and cloud-hosted phishing infrastructure

This research is a reminder that phishing defenses must now account for legitimate authentication workflows being abused, not just fake login pages and stolen passwords.