AI “Vibe Coding” Fuels a Phishing Free-For-All: How EvilTokens Bypasses Microsoft 365 MFA

A once-obscure technique for bypassing multifactor authentication is exploding across the threat landscape, supercharged by AI “vibe coding” and a booming Phishing-as-a-Service (PhaaS) economy.

In the relentless cat-and-mouse game of credential theft, cybercriminals are pivoting away from traditional fake login pages and embracing a stealthier tactic: device code phishing. A new investigation by Proofpoint has detailed how threat actors are abusing the legitimate OAuth 2.0 device authorization grant flow to seamlessly hijack enterprise Microsoft 365 accounts.

“The spike in device code phishing coincides with publicly released criminal toolkits, and the emergence of multiple phishing-as-a-service (PhaaS) offerings,” the report states.

Device code phishing itself isn’t entirely new; red teams and advanced espionage groups occasionally used it between 2020 and 2022. The attack involves tricking a victim into visiting the authentic microsoft.com/devicelogin portal and entering an alphanumeric code provided by the attacker. Once entered, the attacker captures the authentication tokens.

Historically, this technique had a major flaw: the generated codes expired in 15 minutes, meaning the attacker needed the victim to click the link almost immediately. Today, however, the criminal underground has solved this logistical hurdle.

“The current device code landscape contains a major difference that’s increased the popularity from the original implementations: on-demand code generation,” the Proofpoint report noted. In modern campaigns, the malicious code is generated dynamically the exact moment a user clicks the initial phishing link, ensuring the trap is always primed regardless of when the email is opened.

The barrier to entry for this sophisticated attack has plummeted thanks to the commercialization of PhaaS platforms like Tycoon 2FA, ODx, and a highly prominent newcomer known as EvilTokens.

First advertised on Telegram in February 2026, EvilTokens provides cybercriminals with everything they need to launch a campaign, from automated business email compromise (BEC) management to generating believable landing pages that impersonate brands like Microsoft, Adobe, and DocuSign.

But what stands out to researchers is how these platforms are being built. “Proofpoint assesses EvilTokens is created and maintained using ‘vibe coding’ AI generation techniques”. This reliance on AI allows attackers to rapidly iterate and spin up nearly identical attack flows at wholesale scale, creating a “phishing free-for-all”.

However, this reliance on AI-generated code has a silver lining. Proofpoint noted that because many of these threat actors are heavily reliant on automated AI tools, they often suffer from poor operational security (OpSec). In some instances, attackers have accidentally exposed their infrastructure or deployed campaigns with completely blank email bodies because they failed to properly configure their automated systems.

The rise of device code phishing—much like the recently popularized “ClickFix” attacks—relies heavily on convincing users to actively copy and paste information into a terminal or an authentication window. This fundamental shift in social engineering breaks traditional security advice.

As the Proofpoint report highlights: “Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal hxxps://microsoft.com/devicelogin”.

To defend against this evolving threat, organizations are urged to move beyond just user training. The strongest mitigation strategy is to implement Conditional Access policies that explicitly block the device code authentication flow for all users, or restrict it strictly to known, compliant corporate devices.