AI-powered phishing targets 340+ organizations, bypassing MFA through Microsoft's own login page

A phishing-as-a-service toolkit called EvilTokens is turning Microsoft's device login flow into a full attack chain. The victim authenticates on real microsoft.com/devicelogin, MFA completes against the real IdP, and tokens land in the attacker's session.

What makes this campaign categorically different is AI at every stage: generative lures matched to the victim's role, on-demand device codes that beat the 15-minute expiry, and post-compromise mailbox scanning for BEC targets.

Microsoft Defender Security Research published "Inside an AI-enabled device code phishing campaign," documenting how the EvilTokens Phishing-as-a-Service toolkit industrialized device code phishing with AI-driven infrastructure and end-to-end automation. Huntress independently tracked the campaign across 340+ organizations in five countries. Sekoia TDR identified over 1,000 phishing domains.

Highlights:

• The attack exploits the OAuth device authorization flow designed for TVs and IoT devices. The attacker requests a device code from Microsoft's API, delivers it via a phishing lure, and the victim authenticates on the real Microsoft login page, MFA included. Tokens go to the attacker's session. No credentials intercepted.
• Real-time code generation bypasses the 15-minute device code expiration. The frontend script polls the Railway.com backend every 3-5 seconds to check if authentication is complete. AI generates role-matched lures (RFPs, invoices, manufacturing workflows) with no two identical. Microsoft measured 450% higher click-through rates for AI-generated lures across campaigns. Redirects through Vercel, Cloudflare Workers, and AWS Lambda. Clipboard auto-populated via navigator.clipboard.writeText.
• Post-compromise: device registration within 10 minutes for Primary Refresh Token persistence, malicious inbox rules, AI-powered keyword scanner surfacing finance-related conversations for BEC.
• EvilTokens: PhaaS on Telegram since mid-February 2026. 340+ organizations across US, Canada, Australia, New Zealand, Germany (Huntress). Sectors: construction, non-profits, real estate, manufacturing, finance, healthcare, legal, government. Escalation from Storm-2372 (February 2025). Historical users of the device code phishing technique include UTA032, UTA0355, TA2723, and ShinyHunters. Expanding to Gmail and Okta.

My take:

1. No MFA method helps, including FIDO2. The victim authenticates on real microsoft.com. The device code flow issues tokens to whichever device initiated the request, not where the user signed in. FIDO2 is not failing, it is irrelevant. The fix is a Conditional Access policy blocking the device code grant type.
2. Twelve months separated Storm-2372's manual campaign from EvilTokens, a fully automated platform sold on Telegram. AI lowers the expertise bar until sophisticated attacks become commodity. This is what it looks like at scale.
3. The LLM is not just writing phishing emails. Post-compromise, EvilTokens' AI scanner searches compromised mailboxes for wire transfer threads, payment approvals, and financial conversations to surface BEC opportunities. The attacker does not need to know what to look for. This is LLM-as-operator, not LLM-as-author.

Sources:

1. Inside an AI-enabled device code phishing campaign (Microsoft Defender Security Research, April 6, 2026)
2. New widespread EvilTokens kit: device code phishing as-a-service, Part 1 (Sekoia TDR, March 30, 2026)
3. Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure (Huntress, March 20, 2026)
4. EvilTokens: from device codes to token theft (Mnemonic, 2026)
5. Threat actor abuse of AI accelerates from tool to cyberattack surface (Microsoft, April 2, 2026)
6. Storm-2372 conducts device code phishing campaign (Microsoft Threat Intelligence, February 2025)
7. 88,000 lines of malware in one week (The Weather Report)
8. CrowdStrike reported an 89% increase in AI-enabled attacks (The Weather Report)