AI phishing campaign compromises hundreds of Microsoft organizations

Microsoft has documented a sustained phishing campaign that has been producing hundreds of fresh compromises per day since mid-March 2026, using artificial intelligence to generate personalized lures and a chain of automated redirects to bypass detection at every stage.

What happened

A large-scale Microsoft 365 device code phishing campaign has been running an average of 10 to 15 distinct sub-campaigns every 24 hours since March 15, 2026, each targeting hundreds of organizations with unique payloads. According to The Register, Microsoft VP of security research Tanmay Ganacharya said, "Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging. We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments." The campaign targets organizations across all sectors globally, with post-compromise activity showing a consistent focus on finance-related personnel and automated email exfiltration from those accounts. Microsoft's tooling and infrastructure analysis found similarities with EvilTokens, a phishing-as-a-service kit sold since mid-February 2026 that allows operators to bypass multi-factor authentication (MFA) and silently authenticate as victims inside their Microsoft 365 environments.

Going deeper

The attack chain begins with a reconnaissance phase, typically running 10 to 15 days before the actual phishing attempt. Attackers query GetCredentialType, a Microsoft API endpoint, to confirm whether a targeted email address exists and is active within a given tenant. Attackers then use AI to generate hyper-personalized phishing emails matched to the target's role, using themes such as requests for proposals, invoices, and manufacturing workflows. Rather than linking directly to a phishing page, the emails route victims through a chain of automated redirects via compromised legitimate domains hosted on serverless platforms, including Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda, allowing the campaign to blend in with normal enterprise cloud traffic and avoid URL scanners. A pivotal technical element is dynamic device code generation. Standard device codes expire after 15 minutes, but moving code generation to the final redirect stage means the clock only starts when the victim reaches the phishing page, giving attackers the full 15-minute window regardless of how long the earlier redirect chain takes. Once the victim enters the code on the real Microsoft login page, a polling loop running every 3 to 5 seconds monitors when authentication completes, and the attacker's system receives a live access token the moment the victim finishes logging in.

What was said

Microsoft's Ganacharya described the campaign to The Register as marking "a significant escalation in threat actor sophistication." Microsoft warned in its published analysis that device code authentication creates a risk because "authentication is completed on a separate device, the session initiating the request is not strongly bound to the user's original context," making it attractive for attackers seeking to intercept the authentication flow without needing to capture a password or intercept an MFA code directly.

In the know

The campaign operates in a rapidly expanding ecosystem of device code phishing toolkits. According to BleepingComputer, device code phishing page detections surged 37.5 times over the course of early 2026, with at least 11 distinct kits now offering operators this capability using realistic SaaS-themed lures, anti-bot protections, and cloud platform hosting. EvilTokens is the most prominent, but researchers have identified at least ten competing kits targeting the same attack surface using DocuSign, SharePoint, Adobe, and Microsoft Teams branding as lures.

The big picture

Healthcare organizations face concentrated exposure from campaigns like this one. According to Paubox's 2026 Healthcare Email Security Report, Microsoft 365 is used by approximately 79 percent of healthcare organizations and accounted for 53 percent of breached organizations in 2025, up from 43 percent the year prior. Device code phishing defeats the MFA controls that many healthcare organizations treat as their primary defense, meaning organizations whose security posture depends on MFA without additional Conditional Access restrictions remain exposed. The AI-generated personalization documented in this campaign also targets a known gap: according to Paubox's Top 3 Healthcare Email Attacks report, phishing-driven mailbox takeovers exposed 630,000 individuals in healthcare in 2025, with the attack succeeding because email security assumes users will recognize deception, and only 5 percent of known phishing attacks are reported by employees to security teams.

FAQs

What makes dynamic device code generation more dangerous than static code?

Static device codes are embedded in phishing emails ahead of time, meaning the 15-minute validity window starts before the victim even opens the message. Dynamic generation moves code creation to the final stage of the attack chain, giving the victim the full 15-minute window on a live code, which substantially raises the probability of a successful compromise.

How does AI personalization change the risk profile of phishing campaigns at this scale?

Attackers can now generate role-specific lures for thousands of targets simultaneously without manual effort, meaning each recipient receives an email that references their job function, industry context, or typical workflows. Personalized emails are harder for recipients to dismiss as generic spam and harder for pattern-based filters to catch because each payload is unique.

What is the GetCredentialType API, and why does its abuse matter?

GetCredentialType is a Microsoft API endpoint that reveals whether an email address is active within a Microsoft tenant. Attackers use it during the reconnaissance phase to validate targets before investing in a full phishing campaign, reducing wasted effort and improving the quality of their targeting lists.

What Conditional Access policy blocks device code phishing?

Organizations can create a Microsoft Entra Conditional Access policy using the Authentication Flows condition to block the device code authentication flow for all users who do not require it for legitimate IoT or printer access. Where a full block is not feasible, restricting the flow to approved users, devices, or IP ranges substantially reduces the attack surface.

Why does post-compromise activity focus specifically on finance personnel?

Finance roles have access to payment systems, banking credentials, invoice approvals, and financial reporting, making a compromised finance inbox a direct route to fraudulent transactions. Automated exfiltration of finance-related email allows attackers to map payment workflows and identify the right moment to insert fraudulent payment instructions.