An AI‑enabled device code phishing campaign (www.microsoft.com)

Microsoft Defender Security Research has detected a sophisticated phishing campaign that exploits device code authentication to compromise organizational accounts on a large scale. Unlike traditional methods, this campaign automates the generation of dynamic device codes, effectively circumventing the typical 15-minute expiration window. This strategic shift demonstrates an escalation in breach tactics, aligned with the rise of the EvilTokens phishing-as-a-service toolkit, marking a notable evolution in threat actor capabilities. The attackers utilized advanced backend automation, employing platforms like Railway.com to deploy numerous unique polling nodes that execute complex scripts in real-time. These scripts dynamically generate device codes during user interactions, enhancing the likelihood of successful phishing attacks. Additionally, by leveraging generative AI, the campaign crafted hyper-personalized lures based on the victim's role, further increasing engagement rates. The multi-stage approach—ranging from reconnaissance to dynamic code generation—assembles a highly effective delivery pipeline that manipulates user behavior and compromises accounts without requiring password submission. This campaign raises significant concerns for the AI/ML community regarding the increasing intersection of automation, AI, and cybersecurity threats, highlighting the need for more robust authentication methods and proactive defenses.