Device Code Phishing: AI-Augmented Attacks Target Microsoft 365

The cybersecurity landscape of 2026 has witnessed a definitive paradigm shift: the death of the password-centric attack and the rise of the session-centric breach. At the heart of this evolution is a highly sophisticated, AI-augmented campaign targeting Microsoft 365 environments. This campaign, largely attributed to threat actors following the tactical blueprints of Storm-2372, has weaponized a legitimate authentication mechanism known as device code phishing. By leveraging generative AI and real-time automation, attackers have effectively neutralized multi-factor authentication (MFA) and bypassed the time-bound security hurdles that previously limited such attacks.

The Technical Architecture of Device Code Phishing

To understand the severity of this threat, one must first deconstruct the underlying protocol. Device code phishing exploits the OAuth 2.0 Device Authorization Grant (RFC 8628). This flow was originally designed for “input-constrained” devices—think smart TVs, printers, or IoT hardware—that lack a full browser or keyboard. In a legitimate scenario, the device requests an authorization code from the identity provider (e.g., Microsoft Entra ID). The user is then instructed to visit a specific URL (usually microsoft.com/devicelogin) on a separate device, such as a laptop or smartphone, to enter the code and authenticate.

The vulnerability lies not in a flaw in the code itself, but in the trust architecture of the flow. When the user enters the code and completes their organizational MFA, they are not authenticating a local session; they are authorizing the session initiated by the requester. In the 2026 campaign, the “requester” is an AI-orchestrated backend infrastructure controlled by the threat actor. The victim completes a perfectly legitimate login on a legitimate Microsoft domain, unknowingly handing over a Primary Refresh Token (PRT) to the adversary.

The AI Inflection Point: Solving the 15-Minute Window

Historically, device code phishing was hindered by a critical security feature: the 15-minute expiration window. A device code generated by Microsoft’s API remains valid for only a quarter-hour. If a traditional phishing email sat in an inbox for twenty minutes before being opened, the attack would fail. The 2026 campaign, powered by the EvilTokens Phishing-as-a-Service (PhaaS) platform, has solved this through AI-accelerated orchestration.

• Dynamic Code Generation: Rather than sending a static code in an email, the attackers use generative AI to create hyper-personalized lures (centered on RFPs, invoices, or internal HR notifications). The malicious link in the email does not contain the device code; instead, it directs the victim to a “waiting” page hosted on legitimate PaaS platforms like Railway.com or Vercel.
• Real-Time Triggers: The moment a victim clicks the link, the backend AI detects the active session and initiates a POST request to Microsoft’s authorization endpoint (/oauth2/v2.0/devicecode). This ensures that the 15-minute timer only begins the millisecond the user is actually looking at the screen.
• Backend Polling: While the user sees a “loading” screen or a blurred document preview, the attacker’s script polls the token endpoint at 3-to-5 second intervals. This automated persistence ensures that as soon as the victim enters the code, the access token is captured instantly.

Dissecting the Storm-2372 Playbook

Security researchers tracking the Storm-2372 successor campaigns have noted a level of sophistication that mimics legitimate corporate behavior, making detection via traditional telemetry nearly impossible. The campaign utilizes a multi-stage delivery pipeline designed to bypass Secure Email Gateways (SEGs). By wrapping malicious URLs within the redirect services of trusted security vendors (such as Cisco or Mimecast), the attackers exploit “reputation-based” filters.

The use of Cloudflare Workers as intermediaries adds another layer of obfuscation. These workers act as a proxy, hiding the true origin of the attacker’s polling nodes. This infrastructure allows the group to spin up thousands of unique, short-lived nodes that handle the logic of the attack. For security analysts, this creates a “needle in a haystack” problem, where the malicious traffic is indistinguishable from standard cloud-native application behavior.

The Role of Generative AI in Lure Customization

What sets the 2026 campaign apart is the move away from “spray and pray” tactics toward precision engineering. Threat actors use Large Language Models (LLMs) to perform automated reconnaissance on targets. By scraping LinkedIn profiles and public corporate filings, the AI generates lures that are contextually relevant to the victim’s specific job function. A finance officer might receive a perfectly formatted “Urgent Audit Request,” while a developer is targeted with a “CLI Authentication Refresh” notice. This hyper-personalization has driven success rates significantly higher than traditional credential harvesting campaigns.

Post-Compromise: The Microsoft Graph API and Long-Term Persistence

The goal of device code phishing is not just a one-time login. Once the victim authorizes the “device,” the attacker receives an access token and, more importantly, a refresh token. In Microsoft Entra ID, these tokens are rolling; each use generates a new token, effectively granting the attacker a 90-day window of access that resets every time they use it. This persistence is resilient to password changes, as the token is tied to the authenticated session, not the current password state.

The primary tool for the next phase of the attack is the Microsoft Graph API. With a valid token, the attacker can silently execute the following actions:

1. Email Exfiltration: Searching through mailboxes for high-value keywords like “wire transfer,” “credentials,” or “confidential.” AI-driven scripts can parse thousands of emails in seconds to identify the most lucrative data.
2. Persistence via Inbox Rules: The attacker may create hidden inbox rules that forward specific emails to an external address or automatically delete security notifications from Microsoft, ensuring the victim remains unaware of the breach.
3. Device Registration: In some observed cases, the attackers have used the stolen token to register a new, attacker-controlled device within the organization’s Entra ID tenant. This allows them to obtain a Primary Refresh Token (PRT), which provides the highest level of persistent access and facilitates lateral movement across the network.

Why Traditional Defenses Are Failing

The core challenge of defending against AI-augmented device code phishing is that the attack occurs entirely within “legitimate” channels. The user enters their credentials on microsoft.com, they solve a legitimate MFA prompt, and the resulting tokens are valid. Standard telemetry baselines, which are calibrated for human-paced behavior, often fail to trigger alerts for the following reasons:

Speed of Orchestration: The time elapsed between the user entering the code and the attacker exfiltrating data can be measured in seconds. By the time a security operations center (SOC) receives a “risky sign-in” alert, the data may already be gone.

IP Reputation Evasion: By using PaaS providers like Railway or Vercel, attackers are operating from IP ranges that are commonly used by legitimate business applications. Blocking these ranges wholesale would lead to significant operational disruption.

MFA Fatigue and Trust: Because the user is on a real Microsoft page, the psychological barriers to entry are lowered. Even users trained to spot fake URLs are likely to trust a flow that takes them to the official Microsoft login portal.

Mitigation Strategies for the 2026 Threat Landscape

Combatting this level of sophistication requires a shift from reactive detection to proactive policy enforcement. Organizations must realize that MFA, while necessary, is no longer a silver bullet against token-theft techniques like device code phishing.

1. Restricting the Device Authorization Flow

The most effective defense is to disable the device code flow globally. Most organizations do not actually need this flow for their daily operations. Security administrators should implement Conditional Access Policies that specifically block the Device Code Flow for all users except those with a documented business need (e.g., IT staff managing specialized IoT hardware).

2. Implementing Phishing-Resistant MFA

While the 2026 campaign has found ways to bypass some token-based protections, FIDO2-based hardware keys remain the gold standard. These methods bind the authentication to the specific origin of the browser session, making it much harder for an attacker to intercept and replay the token from a different device.

3. Monitoring Microsoft Graph API Activity

Detection efforts should shift from the sign-in event to the post-authentication behavior. SOC teams should monitor for unusual Microsoft Graph API calls, particularly those involving bulk email searches or changes to inbox rules. Alerts should be triggered when a “new device” is registered from a non-corporate IP address shortly after a successful sign-in.

4. Automated Token Revocation

In the event of a suspected compromise, simply changing the user’s password is insufficient. Administrators must use the revokeSign-inSessions command via PowerShell or the Entra ID portal to immediately invalidate all active refresh tokens. This “nuclear option” is the only way to ensure an attacker is evicted from the session.

Conclusion: The Future of AI vs. AI Security

The device code phishing campaign of 2026 serves as a stark reminder that as our defenses get smarter, our adversaries leverage the same technology to move faster. The automation provided by platforms like EvilTokens and the tactical precision of actors like Storm-2372 have turned a niche authentication flow into a primary vector for global organizational compromise. To survive in this environment, cybersecurity must move at the speed of the attacker—utilizing AI-driven detection to counter AI-driven exploitation, and reinforcing the foundations of identity through zero-trust principles.