Hundreds compromised daily in Microsoft device code phishes • The Register

https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/?td\u003dkeepreading

Publish Date: 2026-04-07 16:19:00

Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.

“Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours,” Microsoft VP of security research Tanmay Ganacharya told The Register.

“Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging,” Ganacharya said. “We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments.”

The attackers have targeted organizations across all sectors and globally, he told us. And while the phishing expedition hasn’t been attributed to a particular crew, its tooling and infrastructure share similarities with EvilTokens.

EvilTokens is a new Microsoft device-code phishing kit that has been sold as a service since mid-February, allowing buyers to bypass multi-factor authentication (MFA) and silently authenticate as the victim to the organization’s Microsoft 365 applications. Its operators have promised to soon extend support to Gmail and Okta phishing pages.

While the campaign appears to target a broad swath of organizations across all industries, “post-compromise activity shows a consistent focus on finance-related personas, with automated email exfiltration observed in those accounts,” Ganacharya said.

Redmond researchers detailed the device code attack in a Monday blog, and said that it “marks a significant escalation in threat actor sophistication.”