New AI-Driven Phishing Campaign Subverts Microsoft’s Device Code Flow

Microsoft Defender Security Research has uncovered a sophisticated, wide-scale phishing campaign that weaponizes the Device Code Authentication flow to breach organizational accounts. Unlike previous attempts, this campaign leverages a Phishing-as-a-Service (PhaaS) toolkit known as EvilToken and utilizes high levels of automation and artificial intelligence to bypass traditional security defenses.

The attack marks a “significant escalation in threat actor sophistication” compared to similar campaigns observed just a year ago.

Device Code Authentication is a legitimate OAuth mechanism intended for devices with limited input capabilities, such as smart TVs. It allows a user to sign in by entering a short code into a browser on a separate device.

However, because this flow decouples authentication from the originating session, threat actors can “bypass more traditional MFA protections”. By inserting themselves into this process, “the threat actor initiates the flow and provides the user with a code through a phishing lure”. When the victim enters that code on the legitimate Microsoft site, they unknowingly authorize the attacker’s session.

A standard device code expires after only 15 minutes. In the past, attackers included pre-generated codes in emails, but these often expired before a victim even opened the message.

This new campaign uses Dynamic Device Code Generation to solve this problem. The attack logic is as follows:

• Real-time Generation: The script only contacts Microsoft to generate a live code the moment the user clicks the phishing link.
• Clipboard Hijacking: To further speed up the process, the malicious script “automatically copies the generated device code to the user’s clipboard” using the navigator.clipboard.writeText API.
• Automated Polling: While the user is on the official Microsoft portal, the attacker’s script enters a “Polling” state, pinging the backend every 3 to 5 seconds to check for a successful login.

The campaign’s success is bolstered by an “AI-driven infrastructure”. Attackers used Generative AI to create “hyper-personalized lures” tailored to a victim’s specific professional role, such as RFPs or manufacturing workflows.

To evade detection, the threat actors used serverless platforms like Vercel, Cloudflare Workers, and AWS Lambda to host redirect logic. This allows phishing traffic to “blend in with legitimate enterprise cloud traffic,” preventing simple domain blocklists from catching the attack.

Once an account is breached, the automation doesn’t stop. The attackers focus their follow-on activity on “high-value personas—specifically those in financial, executive, or administrative roles”.

Using automated Microsoft Graph reconnaissance, they “programmatically mapped internal organizational structures” to identify sensitive permissions. For those with financial authority, the actors performed deep-dives into emails searching for wire transfer details and pending invoices. Persistence was often maintained through “malicious inbox rules that redirected or concealed communications”.

Organizations are encouraged to review their use of device code flows and consider conditional access policies to mitigate this growing risk.