Device flow phishing widens Microsoft 365 risk

Hackers are exploiting Microsoft 365’s OAuth device code authentication flow to seize enterprise accounts without stealing passwords, turning a legitimate sign-in feature into a scalable route for token theft and business email compromise.

The technique, once associated mainly with targeted operations, has moved into broader criminal use as phishing-as-a-service platforms automate the process. Security teams are tracking a marked rise in campaigns that persuade employees to enter attacker-supplied device codes on genuine Microsoft sign-in pages, after which the attackers receive valid OAuth access and refresh tokens. Those tokens can allow mailbox access, file retrieval, internal reconnaissance and follow-on fraud while bypassing controls built mainly to detect stolen credentials.

Device code authentication was designed for hardware that lacks a practical browser or keyboard, such as printers, smart televisions, meeting-room systems and other shared devices. A user is shown a short code on one device and completes the sign-in on another. The weakness emerges when an attacker initiates that process, sends the code to a target under a convincing pretext, and gets the target to authorise a session the attacker controls.

Unlike conventional phishing, the victim may never type a password into a fake website. The login page can be Microsoft’s legitimate portal, and the user may complete multifactor authentication as normal. That gives the attack a high level of credibility and makes basic user advice about checking website addresses less effective. Once authorisation is granted, the attacker does not need the password; the token becomes the prize.

The threat has accelerated as ready-made kits lower the entry barrier. EvilTokens, identified by security researchers as a turnkey Microsoft device code phishing platform, has circulated through cybercrime channels since February 2026 and provides features aimed at business email compromise, including mailbox access, email harvesting, reconnaissance functions and automation through messaging bots. Other platforms, including Kali365 Live, have been linked to large-scale operations using similar mechanics, affiliate panels and cloud-hosted infrastructure.

Automation has made the campaigns harder to disrupt. Device codes normally expire within minutes, but attackers now generate them dynamically when a victim clicks a phishing link, keeping the authentication window active at the critical moment. Some campaigns use artificial intelligence to tailor lures to a target’s role, with themes such as invoices, procurement requests, manufacturing workflows and document reviews. Disposable cloud infrastructure and short-lived polling services further complicate detection by reducing the value of static indicators.

The operational consequences for businesses can be severe. A compromised Microsoft 365 account can expose email archives, Teams messages, SharePoint files, OneDrive documents and contact lists. Attackers often use the initial mailbox access to study payment chains, vendor relationships and internal tone before launching invoice fraud or internal phishing. Some incidents have involved inbox rules designed to hide warnings, suppress security alerts or divert messages containing financial keywords.

The attack also illustrates a broader shift in identity compromise. Organisations have invested heavily in multifactor authentication, but token-focused attacks target the session layer after a legitimate authentication event. Password resets alone may not be sufficient if refresh tokens remain active. Incident response usually requires revoking sessions, reviewing OAuth grants, checking sign-in logs, removing malicious inbox rules and hunting for lateral activity across cloud services.

Defensive guidance is increasingly centred on restricting device code flow unless there is a clear operational need. Microsoft Entra Conditional Access can be used to block the flow entirely or limit it to approved users, devices, locations or applications. Security teams are also advised to run policies in report-only mode first, review sign-in logs for legitimate use, and then narrow access around known business cases such as managed conference-room equipment.

Token protection adds another layer by binding supported sign-in tokens to trusted devices, making stolen tokens harder to replay from attacker-controlled systems. Its coverage is still dependent on platform, application and device support, so it is best treated as part of a wider identity defence programme rather than a standalone fix. Requirements for compliant or joined devices, continuous access evaluation, risk-based sign-in controls and strong monitoring of anomalous OAuth activity are becoming central to cloud security planning.