Microsoft Device‑Code Phishing Ramp

# Microsoft Device-Code Phishing Ramp A phishing campaign that started in mid-March 2026 is compromising hundreds of organizations a day by abusing one of Microsoft’s own login features instead of stealing passwords in the usual way. Microsoft says it has observed 10 to 15 distinct campaigns every 24 hours since March 15, 2026, with attackers using artificial intelligence and automation across nearly the entire attack chain. (microsoft.com) (theregister.com) The feature at the center of the attacks is called the OAuth 2.0 device authorization grant flow, usually shortened to “device code flow.” It exists for legitimate reasons: a smart television, conference-room device, or other gadget with a limited keyboard can show a short code, and the user finishes sign-in on a separate phone or laptop. (proofpoint.com) (microsoft.com) That design solves a real usability problem, but it also creates a social-engineering opening. If an attacker can trick a person into entering a valid device code on a real Microsoft sign-in page, the victim may feel safe because the page is genuine, even though the code links the victim’s account to the attacker’s session. (proofpoint.com) (microsoft.com) This is what makes device-code phishing different from a fake login page. In a classic phishing scam, the criminal builds a counterfeit website and waits for a password; in a device-code attack, the criminal sends the victim to a real Microsoft page and asks for approval of a login the attacker already started. (microsoft.com) (proofpoint.com) Once the victim approves the request, the attacker can receive access tokens instead of the password itself. Those tokens act like digital claim checks: they let software call Microsoft 365 services on the user’s behalf, which can include email, files, and other cloud data depending on what was granted. (proofpoint.com) (microsoft.com) That means multifactor authentication is not always enough to stop the attack. The victim may complete the extra verification step themselves, and the attacker then rides the approved session forward using the issued tokens, sometimes maintaining access beyond the initial login. (theregister.com) (microsoft.com) Researchers had already been warning that this method was spreading before this week’s report. Proofpoint said in December 2025 that multiple state-aligned and financially motivated threat clusters were using Microsoft 365 device-code authorization to take over accounts, exfiltrate data, and expand access after the first compromise. (proofpoint.com) Microsoft had also documented an earlier campaign in February 2025 tied to a threat actor it tracks as Storm-2372. In that case, the lures imitated familiar messaging apps such as WhatsApp, Signal, and Microsoft Teams to get targets to complete the device-code sign-in process. (microsoft.com) The new campaign appears to be larger and more automated than those earlier waves. Microsoft says the April 6, 2026 report describes a shift away from static, manual scripts toward artificial-intelligence-driven infrastructure that can generate live authentication codes on demand and automate follow-on actions after an account is compromised. (microsoft.com) According to Microsoft, the attackers used Railway to spin up thousands of short-lived polling nodes. Those nodes appear to have handled the back-end work of checking whether a victim had completed the sign-in and then moving quickly once access was granted. (microsoft.com) The attackers did not stop at inbox access. Microsoft and The Register both report that the campaign was used to snoop through corporate email and steal financial data, which suggests the operators were looking for payment workflows, invoices, account details, or internal conversations that could support fraud. That last point is an inference from the stated focus on financial data and corporate email, not a direct quote from either report. (microsoft.com) (theregister.com) This fits a pattern already visible in other Microsoft-related intrusions this year. In January 2026, The Register reported that attackers who compromised Microsoft accounts at energy-sector organizations used those inboxes to send hundreds of phishing emails from trusted internal and external addresses, turning one breach into a launchpad for many more. (theregister.com) The practical problem for defenders is that the login pages and the authorization flow are real. Security teams are not just filtering fake domains anymore; they are trying to spot when a legitimate Microsoft device-login request is appearing in the wrong context, for the wrong app, or at the wrong time. (proofpoint.com) (microsoft.com) Microsoft’s reporting suggests the scale comes from combining old-fashioned persuasion with machine-speed operations. A human target still has to be convinced to enter the code, but once that happens, software can monitor approvals, harvest tokens, search mailboxes, and move into financial systems much faster than a person working by hand. (microsoft.com) (theregister.com) The result is a kind of phishing campaign that looks less like a forged key and more like a victim being talked into opening the front door themselves. That is why device-code phishing has become such an attractive tactic: it exploits trust in a real authentication system, and in April 2026 Microsoft says attackers are now running that playbook every day at industrial scale. (microsoft.com) (theregister.com)