Attackers are using AI to turn a routine login screen into a trap

A new class of phishing campaign weaponizes a legitimate Microsoft authentication feature to bypass multi-factor authentication entirely, and healthcare organizations running Microsoft 365 are squarely in the target pool.

Understanding device code phishing

Most phishing attacks steal a password. Device code phishing skips the password altogether and steals something more durable: an authenticated session token.

The attack abuses a legitimate part of the OAuth 2.0 standard called device code flow, which was designed to help devices with no keyboard or browser, such as smart TVs or shared printers, authenticate to cloud services. In a legitimate use case, the device displays a short code, the user enters it in a separate browser, and the session is authorized. The protocol was built on an assumption of good faith, and attackers have since learned to exploit that assumption at scale.

According to Microsoft's Defender Security Research Team, the most recent campaign represents a substantial escalation from prior device code attacks. Rather than manually crafting phishing lures and pre-embedding codes, attackers built an AI-driven infrastructure that generates device codes dynamically at the moment a victim clicks a malicious link, writes personalized lure content tailored to each target's role and organization, and automates the full post-compromise chain from reconnaissance to data exfiltration. The operation was linked to EvilToken, a Phishing-as-a-Service (PhaaS) toolkit sold on underground forums since February 2026.

Read more: What is phishing? | What is social engineering?

The impact

According to the Cloud Security Alliance's research note on the EvilToken campaign, activity first observed on February 19, 2026, had reached more than 340 Microsoft 365 organizations across the United States, Canada, Australia, New Zealand, and Germany by mid-March. Affected sectors included healthcare, financial services, manufacturing, legal services, government, construction, real estate, and nonprofits.

Healthcare organizations face compounded risk from this attack type. When an attacker obtains a valid session token for a Microsoft 365 account at a healthcare organization, the access they gain does not look different from a legitimate login. According to Paubox's Top 3 Healthcare Email Attacks in 2025 report, credential-based mailbox takeovers accounted for the largest share of exposed patient data among email-related healthcare breaches in 2025, exposing 630,000 individuals. Once inside an inbox with a valid token, attackers access protected health information (PHI) directly, search for billing and referral keywords, and create inbox rules to forward or conceal messages, all without triggering password-based anomaly detection.

According to Paubox's 2026 Healthcare Email Security Report, 53% of email-related healthcare breaches in 2025 involved Microsoft 365, up from 43% in 2024. The consistent targeting of Microsoft 365 environments makes device code phishing particularly concerning for the healthcare sector, where the platform dominates and where authentication misconfiguration is widespread.

How the attack works

The campaign documented by Microsoft followed six distinct phases, each more automated than prior device code attacks. The operation began with reconnaissance, where attackers queried a Microsoft endpoint to verify whether a target email address was active in a tenant. That validation step typically occurred 10 to 15 days before the phishing attempt itself, giving attackers time to craft personalized lures.

Delivery used AI-generated emails tailored to each target's role, e-invoices for finance staff, request-for-proposal documents for procurement teams, and shared file notifications for administrative personnel. Rather than link directly to a malicious page, the emails routed victims through redirect chains hosted on legitimate cloud platforms, including Vercel, Cloudflare Workers, and AWS Lambda, making the traffic indistinguishable from ordinary enterprise cloud activity.

When the victim finally landed on the attacker-controlled page, a backend script contacted Microsoft's legitimate device authorization endpoint in real time and generated a fresh code. Microsoft's analysis of the campaign identifies dynamic code generation as a pivotal feature: earlier device code attacks embedded static code in the email, meaning the attack would fail if the victim opened the message after the standard 15-minute expiration window. Generating the code on the fly at the moment of the victim's click resets that countdown to a full 15 minutes, enough time for the attacker's automated system to capture the resulting token before it expires.

The page automatically copied the generated code to the victim's clipboard and presented a button redirecting to the legitimate Microsoft device login portal. Once the victim pasted the code and completed their normal login, the attacker's backend polling loop detected the successful authentication and captured a valid access token. MFA did not protect because the user had just completed MFA themselves. The attacker was not bypassing MF; the user had performed it on the attacker's behalf.

Post-compromise activity was selective and fast. Microsoft observed attackers using the Microsoft Graph API to map organizational structure, identifying staff in financial or executive roles within the larger pool of compromised accounts. For those targets, attackers conducted deep email reconnaissance, searching for wire transfer details, pending invoices, and executive correspondence. Device registration was used in some cases to generate persistent tokens that would survive password resets.

Read also: Protect your email from AI-generated attacks

Why is it harder to detect and stop

Standard phishing defenses look for malicious links, known-bad domains, and spoofed sender addresses. Device code phishing routes victims through legitimate cloud platforms and ultimately directs them to an authentic Microsoft URL. Nothing in the chain is technically malicious from a URL or domain reputation perspective.

MFA, the control most organizations rely on to contain credential theft, does not prevent this attack. The device code flow is designed to authenticate sessions on behalf of devices that cannot complete MFA themselves, so the protocol structurally decouples authentication from the session that initiated it. When a user completes MFA on the legitimate Microsoft login page, they are authorizing the attacker's session, not their own.

Bleeping Computer's tracking of device code phishing activity from September 2025 onward shows multiple distinct threat clusters, including state-aligned actors with suspected Russian and Chinese ties who adopt the technique, as well as financially motivated groups. The EvilToken PhaaS platform lowered the barrier further by packaging the full attack workflow into an accessible subscription service, removing the technical skill requirement that had previously limited the method to sophisticated operators.

According to Paubox's 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to security teams. In a device code phishing scenario, even that low reporting rate is optimistic; victims who completed the authentication flow typically did not indicate that anything had gone wrong.

Why device code phishing continues to grow

The technique has followed the same commoditization path as every effective attack method before it. State-sponsored groups pioneered the approach for targeted espionage. Microsoft's February 2025 analysis of Storm-2372 documented one of the earliest sustained campaigns. Financially motivated actors adopted it through 2025 as tooling became publicly available. By February 2026, EvilToken had packaged the full attack chain into a PhaaS subscription with ready-made lure templates, anti-bot protections, and automated backend polling.

AI accelerated every stage. Lure generation that previously required manual research into target roles and organizational context became automated. According to The Hacker News's reporting on the EvilToken campaign, lure variants in the campaign impersonated construction bid solicitations, DocuSign notifications, voicemail alerts, Microsoft Forms prompts, and shared file reminders incorporating victim organization branding derived from publicly available sources, all produced at scale without human intervention per target.

The attack succeeds because it exploits the structural properties of a legitimate protocol rather than a vulnerability in any specific software. Patching does not fix it. Protocol-level controls, pre-delivery filtering, and authentication flow restrictions are the only interventions that address the attack at its source.

FAQs

What is device code phishing, and how does it differ from standard phishing?

Standard phishing attempts to steal a password by directing users to a fake login page. Device code phishing skips the password and instead tricks users into authorizing an attacker's session through a legitimate Microsoft authentication portal. Because the user interacts with an authentic Microsoft URL, there is no fake page to detect. The attacker ends up with a valid session token that works regardless of whether MFA is enabled.

Does enabling MFA protect against device code phishing?

Not in the standard push notification or SMS form. The attack works precisely because the user does complete MFA, but they do so on the attacker's behalf through the device code flow. Phishing-resistant MFA methods, such as passkeys and hardware security keys that bind authentication to the specific originating session, do protect because they cannot be completed outside that session context.

Why are healthcare organizations particularly at risk?

Microsoft 365 is the dominant email platform in healthcare, and device code phishing specifically targets Microsoft 365 accounts. According to Paubox's 2026 Healthcare Email Security Report, 53% of email-related healthcare breaches in 2025 involved Microsoft 365. Healthcare staff also face fast-moving workflows and high email volume, which increases the probability of interacting with a convincing lure without pausing to verify the authentication request.

What is EvilToken, and where did it come from?

EvilToken is a Phishing-as-a-Service platform that packages the device code phishing attack chain into a subscription service available on underground criminal forums. It was first observed in mid-February 2026 and provides subscribers with pre-built lure templates, anti-analysis protections, and automated backend infrastructure for capturing tokens. Its emergence marks the full commoditization of a technique that was previously limited to sophisticated threat actors.

What is the single most effective control against device code phishing?

Blocking the device code authentication flow via a Microsoft Entra Conditional Access policy is the highest-impact sustained control. Pre-delivery email filtering that stops phishing lures before they reach inboxes removes the initial access vector before authentication is ever attempted. Both controls together address the attack at different stages of the chain.

Learn more: Paubox Inbound Email Security | Paubox's Top 3 Healthcare Email Attacks in 2025 report