AI phishing hits hundreds of orgs

Microsoft said on April 6 that a phishing campaign is compromising Microsoft 365 organizations at scale by abusing the device code sign-in flow. (microsoft.com) Device code sign-in is the Microsoft login method built for devices like smart TVs and printers that cannot type a full password into a browser. Attackers hijack that flow by sending a victim a real Microsoft code and getting the victim to approve the attacker’s session instead. (pushsecurity.com) (microsoft.com) Microsoft said the campaign has been running since March 15, 2026, with 10 to 15 distinct sub-campaigns every 24 hours. The company said each wave targets hundreds of organizations with varied payloads that make pattern-based detection harder. (microsoft.com) (theregister.com) The new piece is automation. Microsoft said the operators generate device codes only when a victim clicks, which sidesteps the normal 15-minute expiration window that would otherwise limit the scam. (microsoft.com) Microsoft also said the attackers used generative artificial intelligence to write role-specific lures tied to requests for proposals, invoices, and manufacturing workflows. The company said the backend ran on thousands of short-lived polling nodes spun up through Railway.com with Node.js logic. (microsoft.com) Once tokens were stolen, Microsoft said the operators focused on a smaller set of high-value accounts in finance and executive roles. The follow-on activity included mailbox reconnaissance, malicious inbox rules, and email exfiltration for business email compromise. (microsoft.com) Researchers outside Microsoft say the same tactic is spreading because it is now sold as a service. Sekoia said in March it uncovered EvilTokens, a turnkey Microsoft device-code phishing kit marketed through cybercrime channels. (blog.sekoia.io) Sekoia said EvilTokens also bundled tools for business email compromise, including token theft, email-thread analysis, and AI-assisted draft messages for fraud. That turns a stolen login into a ready-made payment scam pipeline. (blog.sekoia.io) Push Security said device-code phishing pages detected in the wild were up 37.5 times by April 4, 2026, compared with the start of the year. The company said at least 11 kits now offer the technique, lowering the skill barrier for attackers. (pushsecurity.com) (labs.cloudsecurityalliance.org) The Cloud Security Alliance separately said a related campaign had hit more than 340 Microsoft 365 organizations across five countries by March 25. That report described device-code phishing as token theft that can survive password resets because the attacker steals session access, not just a password. (labs.cloudsecurityalliance.org) Microsoft’s advice is narrower than “turn on multifactor authentication,” because this attack uses a legitimate Microsoft login flow. The company recommends restricting device-code flow where possible, monitoring sign-ins to the device-code endpoint, and hunting for suspicious inbox rules and token use. (microsoft.com) The thread running through all of this is simple: the phishing page no longer needs to steal a password if it can trick a user into authorizing a real session. Microsoft’s warning is that automation and AI now let that happen at the scale of hundreds of organizations a day. (microsoft.com)