Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Device-Code Phishing Attacks Compromise Hundreds Daily

Person sits in dimly lit room surrounded by screens with login prompts and error messages, with suspicious message on…

"Who needs MFA when you've got EvilTokens?" That jarring question, posed in coverage by The Register, sums up a stark reality: a Microsoft device-code phishing campaign is compromising hundreds of organizations every day by using AI and automation at nearly every stage to snoop through corporate email inboxes and steal financial data.

What the campaign is doing — and how fast

The Register reports that the operation, characterized as a Microsoft device-code phishing campaign and referred to in coverage with the phrase "EvilTokens," is active at scale. According to that reporting, threat actors are compromising hundreds of organizations daily. The campaign leverages AI and automation throughout the attack chain to gain access, then proceeds to search corporate email inboxes for material of financial value.

Techniques on display: AI, automation and device-code phishing

The key technical features reported are straightforward and alarming: attackers are exploiting Microsoft’s device-code authorization flow as the vector for phishing; they integrate AI-driven tools and automated processes across nearly every phase of the intrusion; and their objective, once inside, is to extract financial data from corporate email systems.

Why this matters to different stakeholders

  • For technologists: The combination of device-code phishing with AI and automation increases throughput and persistence. Automated tooling and AI assistance can accelerate reconnaissance, credential harvesting, and inbox searches, enabling attackers to scale compromises to the level of hundreds of organizations per day, the reporting indicates.
  • For organizations and users: The direct harm is described succinctly: corporate email inboxes are being searched and financial data is being stolen. For organizations that rely on email for invoices, wire instructions, and other transactions, that outcome represents a material operational and financial risk.
  • For policymakers and defenders: The Register’s account underscores a broad escalation in attacker capabilities. The use of automation and AI at scale suggests defenders must contend not only with more frequent attacks, but with attacks that can adapt and operate at machine speed across many targets.
  • For adversaries: The campaign demonstrates how marrying existing phishing techniques with newer automation and AI tools can dramatically increase impact — a pattern that may inform future malicious operations, according to the reported behavior.

Implications and a final question

The takeaways in The Register’s reporting are stark and simple: a Microsoft device-code phishing campaign that uses AI and automation is compromising hundreds of organizations every day, then moving to search email inboxes and exfiltrate financial data. That combination of scale, speed, and a clear financial motive creates a potent risk environment.

If attackers can weaponize automation and AI to turn a well-known phishing vector into a daily industrial-scale operation, what will an effective defense look like — and how quickly can organizations adapt? The Register’s reporting leaves that question open, even as it documents the attacker's present capability.

https://go.theregister.com/feed/www.theregister.com/2026/04/07/microsoft_device_code_phishing/