{"id":60451,"date":"2026-04-06T16:34:17","date_gmt":"2026-04-06T16:34:17","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146350"},"modified":"2026-04-06T16:34:17","modified_gmt":"2026-04-06T16:34:17","slug":"inside-an-ai%e2%80%91enabled-device-code-phishing-campaign","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/","title":{"rendered":"Inside an AI\u2011enabled device code phishing campaign"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-6f222469-afac-47bd-80db-a6e6ea409235\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-6f222469-afac-47bd-80db-a6e6ea409235\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale.&nbsp;While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse.<\/p>\n<p class=\"wp-block-paragraph\">This campaign is distinct because it moves away from static, manual scripts toward an AI-driven infrastructure and multiple automations end-to-end. This activity marks a significant escalation in threat actor sophistication since the<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/13\/storm-2372-conducts-device-code-phishing-campaign\/\">Storm-2372 device code phishing campaign observed in February 2025<\/a>.<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Advanced Backend Automation:<\/strong> Threat actors used automation platforms like Railway.com to spin up thousands of unique, short-lived polling nodes. This approach allowed them to deploy complex backend logic (Node.js), which bypassed traditional signature-based or pattern-based detection. This infrastructure was leveraged in the attack end-to-end from generating dynamic device codes to post compromise activities.<\/li>\n<li class=\"wp-block-list-item\"><strong>Hyper-personalized lures: <\/strong>Generative AI was used to create targeted phishing emails aligned to the victim\u2019s role, including themes such as RFPs, invoices, and manufacturing workflows, increasing the likelihood of user interaction.<\/li>\n<li class=\"wp-block-list-item\"><strong>Dynamic Code Generation:<\/strong> To bypass the 15-minute expiration window for device codes, threat actors triggered code generation at the moment the user interacted with the phishing link, ensuring the authentication flow remained valid.<\/li>\n<li class=\"wp-block-list-item\"><strong>Reconnaissance and Persistence:<\/strong> Although many accounts were compromised, follow-on activity focused on a subset of high-value targets. Threat actors used automated enrichment techniques, including analysis of public profiles and corporate directories, to identify individuals in financial or executive roles. This enabled rapid reconnaissance, mapping of permissions, and creation of malicious inbox rules for persistence and data exfiltration.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Once authentication tokens were obtained, threat actors focused on post-compromise activity designed to maintain access and extract data. Stolen tokens were used for email exfiltration and persistence, often through the creation of malicious inbox rules that redirected or concealed communications. In parallel, threat actors conducted Microsoft Graph reconnaissance to map organizational structure and permissions, enabling continued access and potential lateral movement while tokens remained valid.<\/p>\n<h2 class=\"wp-block-heading\" id=\"attack-chain-overview\">Attack chain overview<\/h2>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp\" alt class=\"wp-image-146351 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp\"><\/figure>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-device-code\">Device Code Authentication<\/a> is a legitimate OAuth flow designed for devices with limited interfaces, such as smart TVs or printers, that cannot support a standard interactive login. In this model, a user is presented with a short code on the device they are trying to sign in from and is instructed to enter that code into a browser on a separate device to complete authentication.<\/p>\n<p class=\"wp-block-paragraph\">While this flow is useful for these scenarios, it introduces a security tradeoff. Because authentication is completed on a separate device, the session initiating the request is not strongly bound to the user\u2019s original context. Threat actors have abused this characteristic as a way to bypass more traditional MFA protections by decoupling authentication from the originating session.<\/p>\n<p class=\"wp-block-paragraph\">Device code phishing occurs when threat actors insert themselves into this process. Instead of a legitimate device requesting access, the threat actor initiates the flow and provides the user with a code through a phishing lure. When the user enters the code, they unknowingly authorize the threat actor\u2019s session, granting access to the account without exposing credentials.<\/p>\n<h3 class=\"wp-block-heading\" id=\"phase-1-reconnaissance-and-target-validation\">Phase 1: Reconnaissance and target validation<\/h3>\n<p class=\"wp-block-paragraph\"><strong><em>&nbsp;<\/em><\/strong>The threat actor begins by verifying account validity using the GetCredentialType endpoint. By querying this specific Microsoft URL, the threat actor confirms whether a targeted email address exists and is active within the tenant. This reconnaissance phase is a critical precursor, typically occurring 10 to 15 days before the actual phishing attempt is launched.<\/p>\n<p class=\"wp-block-paragraph\">The campaign uses a multi-stage delivery pipeline designed to bypass traditional email gateways and endpoint security. The attack begins when a user interacts with a malicious attachment or a direct URL embedded within a high-pressure lure (e.g., \u201cAction Required: Password Expiration\u201d).<\/p>\n<p class=\"wp-block-paragraph\">To evade automated URL scanners and sandboxes, the threat actors do not link directly to the final phishing site. Instead, they use a series of redirects through compromised legitimate domains and high-reputation \u201cServerless\u201d platforms. We observed heavy reliance on Vercel (*.vercel.app), Cloudflare Workers (*.workers.dev), and AWS Lambda to host the redirect logic. By using these domains, the phishing traffic \u201cblends in\u201d with legitimate enterprise cloud traffic, preventing simple domain-blocklist triggers.<\/p>\n<p class=\"wp-block-paragraph\">Once the targeted user is redirected to the final landing page, the user is presented with the credential theft interface. This is hosted as <em>browser-in-the-browser<\/em> (an exploitation technique commonly leveraged by the threat actor that simulates a legitimate browser window within a web page that loads the content threat actor has created) or displayed directly within the web-hosted \u201cpreview\u201d of the document with a blurred view, \u201cVerify identity\u201d button that redirects the user to \u201cMicrosoft.com\/devicelogin\u201d and device code displayed.<\/p>\n<p class=\"wp-block-paragraph\">Below is an example of the final landing page, where the redirect to DeviceLogin is rendered as browser-in-the-browser.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-3.webp\" alt class=\"wp-image-146359 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-3.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">The campaign utilized diverse themes, including document access, electronic signing, and voicemail notifications. In specific instances, the threat actor prompted users for their email addresses to facilitate the generation of a malicious device code.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-4.webp\" alt class=\"wp-image-146358 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-4.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">Unlike traditional phishing that asks for a password, this \u201cFront-End\u201d is designed to facilitate a <strong>handoff<\/strong>. The page is pre-loaded with hidden automation. The moment the \u201cContinue to Microsoft\u201d button is clicked, the authentication begins, preparing the victim for the \u201cDevice Code\u201d prompt that follows in the next stage of the attack.<\/p>\n<p class=\"wp-block-paragraph\">The threat actor used a combination of domain shadowing and brand-impersonating subdomains to bypass reputation filters. Several domains were designed to impersonate technical or administrative services (e.g., graph-microsoft[.]com, portal-azure[.]com, office365-login[.]com). Also, multiple randomized subdomains were observed (e.g., a7b2-c9d4.office-verify[.]net). This is a common tactic to ensure that if one URL is flagged, the entire domain isn\u2019t necessarily blocked immediately. Below is a distribution of Domain hosting infrastructure abused by the threat actor:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-5.webp\" alt class=\"wp-image-146360 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-5.webp\"><\/figure>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n<h3 class=\"wp-block-heading\" id=\"phase-2-initial-access\">Phase 2: Initial access<\/h3>\n<p class=\"wp-block-paragraph\">The threat actor distributes deceptive emails to the intended victims, utilizing a wide array of themes like invoices, RFPs, or shared files. These emails contain varied payloads, including direct URLs, PDF attachments, or HTML files. The goal is to entice the user into interacting with a link that will eventually lead them to a legitimate-looking but threat actor-controlled interface.<\/p>\n<h3 class=\"wp-block-heading\" id=\"phase-3-dynamic-device-code-generation\">Phase 3: Dynamic device code generation<\/h3>\n<p class=\"wp-block-paragraph\">When a user clicks the malicious link, they are directed to a web page running a background automation script. This script interacts with the Microsoft identity provider in real-time to generate a live Device Code. This code is then displayed on the user\u2019s screen along with a button that redirects them to the official microsoft.com\/devicelogin portal.<\/p>\n<p class=\"wp-block-paragraph\"><strong>The 15-Minute race: Static vs. dynamic<\/strong><\/p>\n<p class=\"wp-block-paragraph\">A pivotal element of this campaign\u2019s success is Dynamic Device Code Generation, a technique specifically engineered to bypass the inherent time-based constraints of the OAuth 2.0 device authorization flow. A generated device code remains valid for only 15 minutes. (Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/v2-oauth2-device-code\">OAuth 2.0 device authorization grant<\/a>).&nbsp;In older, static phishing attempts, the threat actor would include a pre-generated code within the email itself. This created a narrow window for success: the targeted user had to be phished, open the email, navigate through various redirects, and complete a multi-step authentication process all before the 15-minute timer lapsed. If the user opened the email even 20 minutes after it was sent, the attack would automatically fail due to the expired code.<\/p>\n<p class=\"wp-block-paragraph\">Dynamic Generation effectively solves this for the threat actor. By shifting the code generation to the final stage of the redirect chain, the 15-minute countdown only begins the moment the victim clicks the phishing link and lands on the malicious page. This ensures the authentication code is always active when the user is prompted to enter it.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Generating the device code<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The moment the user is redirected to the final landing page, the script on the page initiates a POST request to the threat actor\u2019s backend <em>(\/api\/device\/start\/ or \/start<\/em>\/). The threat actor\u2019s server acts as a proxy. The request carries a custom HTTP header \u201c<em>X-Antibot-Token\u201d<\/em> with a 64-character hex value, and an empty body (content-length: 0)<\/p>\n<p class=\"wp-block-paragraph\">It contacts Microsoft\u2019s official device authorization endpoint on-demand and provides the user\u2019s email address as hint. The server returns a JSON object containing Device Code (with a full 15-minute lifespan) and a hidden Session Identifier Code. Until this is generated, the landing page takes some time to load.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-8.webp\" alt class=\"wp-image-146364 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-8.webp\"><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-6.webp\" alt class=\"wp-image-146361 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-6.webp\"><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-7.webp\" alt class=\"wp-image-146363 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-7.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"phase-4-exploitation-and-authentication\">Phase 4: Exploitation and authentication<\/h3>\n<p class=\"wp-block-paragraph\">To minimize user effort and maximize the success rate, the threat actor\u2019s script often automatically copies the generated device code to the user\u2019s clipboard. Once the user reaches the official login page, they paste the code. If the user does not have an active session, they are prompted to provide their password and MFA. If they are already signed in, simply pasting the code and confirming the request instantly authenticates the threat actor\u2019s session on the backend.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Clipboard manipulation<\/strong><\/p>\n<p class=\"wp-block-paragraph\">To reduce a few seconds in 15-minute window and to enable user to complete authentication faster, the script immediately executes a clipboard hijack. Using the <em>navigator.clipboard.writeText<\/em> API, the script pushes the recently generated Device Code onto the victim\u2019s Windows clipboard. Below is a screenshot of a campaign where the codes were copied to the user\u2019s clipboard from the browser.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"484\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-1.jpg\" alt class=\"wp-image-146366\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-1.jpg 605w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-1-300x240.jpg 300w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\"><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-9.webp\" alt class=\"wp-image-146365 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-9.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"phase-5-session-validation\">Phase 5 \u2013 Session validation<\/h3>\n<p class=\"wp-block-paragraph\">Immediately following a successful compromise, the threat actor performs a validation check. This automated step ensures that the authentication token is valid and that the necessary level of access to the target environment has been successfully granted.<\/p>\n<p class=\"wp-block-paragraph\"><strong><em>The Polling<\/em><\/strong><\/p>\n<p class=\"wp-block-paragraph\">After presenting the code to the user and opening the legitimate microsoft.com\/devicelogin URL, the script enters a <strong>\u201cPolling\u201d<\/strong> state via the <em>checkStatus()<\/em> function to monitor the 15-minute window in real-time. Every 3 to 5 seconds (<em>setInterval<\/em>), the script pings the threat actor\u2019s \/state endpoint. It sends the secret session identifier code to validate if the user has authenticated yet. While the targeted user is entering the code on the real Microsoft site, the loop returns a \u201cpending\u201d status.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-10.webp\" alt class=\"wp-image-146368 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-10.webp\"><\/figure>\n<p class=\"wp-block-paragraph\">The moment the targeted user completes the MFA-backed login, the next poll returns a success status. The threat actor\u2019s server now possesses a live Access Token for the targeted user\u2019s account, bypassing MFA by design, due to the use of the alternative Device Code flow. The user is also redirected to a placeholder website (Docusign\/Google\/Microsoft).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-10.webp\" alt class=\"wp-image-146367 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-10.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"phase-6-establish-persistence-and-post-exploitation\">Phase 6: Establish persistence and post exploitation<\/h3>\n<p class=\"wp-block-paragraph\">The final stage varies depending on the threat actor\u2019s specific objectives. In some instances, within 10 minutes of the breach, threat actor\u2019s registered new devices to generate a Primary Refresh Token (PRT) for long-term persistence. In other scenarios, they waited several hours before creating malicious inbox rules or exfiltrating sensitive email data to avoid immediate detection.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Post compromise<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Following the compromise, attack progression was predominantly observed towards Device Registration and Graph Reconnaissance.<\/p>\n<p class=\"wp-block-paragraph\">In a selected scenario, the attack progressed to email exfiltration and account persistence through Inbox rules created using Microsoft Office Application. This involved filtering the compromised users and selecting targets:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Persona Identification:<\/strong> The threat actor reviewed and filtered for high-value personas\u2014specifically those in financial, executive, or administrative roles\u2014within the massive pool of compromised users.<\/li>\n<li class=\"wp-block-list-item\"><strong>Accelerated Reconnaissance:<\/strong>&nbsp; Using Microsoft Graph reconnaissance, the threat actor programmatically mapped internal organizational structures and identify sensitive permissions the moment a token was secured.<\/li>\n<li class=\"wp-block-list-item\"><strong>Targeted Financial Exfiltration:<\/strong> The most invasive activity was reserved for users with financial authority. For these specific profiles, the threat actors performed deep-dive reconnaissance into email communications, searching for high-value targets like wire transfer details, pending invoices, and executive correspondence.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Below is an example of an Inbox rule created by the threat actor using Microsoft Office Application.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-11.webp\" alt class=\"wp-image-146369 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-11.webp\"><\/figure>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">To harden networks against the Device code phishing activity described above, defenders can implement the following:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Only allow device code flow where necessary. Microsoft recommends&nbsp;<a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/conditional-access\/policy-block-authentication-flows\">blocking device code flow wherever possible<\/a>. Where necessary, configure Microsoft Entra ID\u2019s&nbsp;<a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/conditional-access\/concept-authentication-flows\">device code flow<\/a>&nbsp;in your Conditional Access policies.<\/li>\n<li class=\"wp-block-list-item\">Educate users about common phishing techniques. Sign-in prompts should clearly identify the application being authenticated to. As of 2021, Microsoft Azure interactions prompt the user to confirm (\u201cCancel\u201d or \u201cContinue\u201d) that they are signing in to the app they expect, which is an option frequently missing from phishing sign-ins. Be cautious of any \u201c[EXTERNAL]\u201d messages containing suspicious links. Do not sign-in to resources provided by unfamiliar senders. For more tips and guidance \u2013 refer to <a href=\"https:\/\/support.microsoft.com\/en-us\/security\/protect-yourself-from-phishing\">Protect yourself from phishing | Microsoft Support<\/a>.<\/li>\n<li class=\"wp-block-list-item\">Configure <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/anti-phishing-policies-about\">Anti-phising policies<\/a>. Anti-phishing policies protect against phishing attacks by detecting spoofed senders, impersonation attempts, and other deceptive email techniques.<\/li>\n<li class=\"wp-block-list-item\">Configure <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/safe-links-about\">Safelinks in Defender for Office 365<\/a>. Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links can also enable high confidence Device Code phishing alerts from Defender.<\/li>\n<li class=\"wp-block-list-item\">If suspected device code phishing activity is identified,&nbsp;<a href=\"https:\/\/learn.microsoft.com\/graph\/api\/user-revokesigninsessions\">revoke the user\u2019s refresh tokens by calling&nbsp;<em>revokeSign-inSessions<\/em><\/a>. Consider&nbsp;<a href=\"https:\/\/learn.microsoft.com\/entra\/identity\/conditional-access\/policy-all-users-persistent-browser#create-a-conditional-access-policy\">setting a Conditional Access Policy to force re-authentication<\/a>&nbsp;for users.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/identity-protection\/howto-identity-protection-configure-risk-policies\">Implement a sign-in risk policy<\/a>&nbsp; to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request is not authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group. Based on the risk level (high\/medium\/low), a policy can be configured to block access or force multi-factor authentication.\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">For regular activity monitoring, use&nbsp;<a href=\"https:\/\/portal.azure.com\/#view\/Microsoft_AAD_IAM\/SecurityMenuBlade\/~\/RiskySignIns\">Risky sign-in reports<\/a>, which&nbsp;surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following best practices to further help improve organizational defences against phishing and other credential theft attacks:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Require&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/admin\/security-and-compliance\/set-up-multi-factor-authentication\">multifactor authentication (MFA)<\/a>. Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. <\/li>\n<li class=\"wp-block-list-item\">Centralize your organization\u2019s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/manage-apps\/plan-sso-deployment\">Single Sign On (SSO)<\/a>&nbsp;and provide users with a more seamless authentication process, as well as configure Entra ID\u2019s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/connect\/how-to-connect-password-hash-synchronization\">synchronize all user accounts<\/a>&nbsp;except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/architecture\/security-operations-introduction\">Secure accounts with credential hygiene<\/a>: practice the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/roles\/delegate-by-task\">principle of least privilege<\/a>&nbsp;and audit privileged account activity in your Entra ID environments to slow and stop the threat actor.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<p class=\"wp-block-paragraph\">Using Safe Links and Microsoft Entra ID protection raises high confidence Device Code phishing alerts from Defender.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"28.5\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong><\/td>\n<td><strong>Observed activity<\/strong><\/td>\n<td><strong>Microsoft Defender coverage<\/strong><\/td>\n<\/tr>\n<tr readability=\"11\">\n<td>Initial Access<\/td>\n<td>Identification and blocking of spearphishing emails that use social engineering lures to direct users to threat actor-controlled pages that ultimately redirect to legitimate Microsoft device sign-in endpoints (e.g., microsoft.com\/devicelogin). Detection relies on campaign-level signals, sender behavior, and message content rather than URL reputation alone, enabling coverage even when legitimate Microsoft authentication URLs are abused. &nbsp;<\/td>\n<td><strong>Microsoft&nbsp;Defender for Office 365<\/strong> <br \/>Predelivery protection for device code phishing emails.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Credential Access<\/td>\n<td>Detects anomalous device code authentication using authentication patterns and token acquisition after successful device code auth.<\/td>\n<td><strong>Microsoft&nbsp;Defender For Identity<\/strong><br \/>Anomalous OAuth device code authentication activity.<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Initial Access \/ Credential Access &nbsp;<\/td>\n<td>Detection of anomalous sign-in patterns consistent with device code authentication abuse, including atypical authentication flows and timing inconsistent with normal user behaviour. &nbsp;<\/td>\n<td><strong>Microsoft&nbsp;Defender XDR<\/strong><br \/>Suspicious Azure authentication through possible device code phishing.<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>Credential Access &nbsp;<\/td>\n<td>The threat actor successfully abuses the OAuth device code authentication flow, causing the victim to authenticate the threat actor\u2019s session and resulting in issuance of valid access and refresh tokens without password theft &nbsp;<\/td>\n<td><strong>Microsoft Defender XDR<\/strong><br \/>User account compromise via OAuth device code phishing.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Credential Access<\/td>\n<td>Detects device code authentication after url click in an email from a non-prevalent sender<\/td>\n<td><strong>Microsoft Defender XDR<\/strong> <strong>&nbsp;<\/strong> Suspicious device code authentication following a URL click in an email from rare sender.<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Defence Evasion &nbsp;<\/td>\n<td>Post-authentication use of valid tokens from threat actor-controlled or known malicious infrastructure, indicating token replay or session hijacking rather than interactive user login.<\/td>\n<td><strong>Microsoft Defender XDR<\/strong> Malicious sign-in from an IP address associated with recognized threat actor infrastructure.<br \/><strong>Microsoft Entra ID Protection<\/strong><br \/>Activity from Anonymous IP address (RiskEventType: anonymizedIPAddress).<\/td>\n<\/tr>\n<tr readability=\"11\">\n<td>Defence Evasion \/ Credential Access &nbsp;<\/td>\n<td>Authentication activity correlated with Microsoft threat intelligence indicating known malicious infrastructure, suspicious token usage, or threat actor associated sign-in patterns following device code abuse. &nbsp;<\/td>\n<td><strong>Microsoft Entra ID Protection<\/strong><br \/>Microsoft Entra threat intelligence (sign-in) (RiskEventType: investigationsThreatIntelligence).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\"><strong>Microsoft Sentinel<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious indicators mentioned in this blog post with data in their workspace. Additionally, Microsoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration attempts via Graph API. These queries can help customers remain vigilant and safeguard their organization from phishing attacks:<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot&nbsp;&nbsp;<\/h3>\n<p class=\"wp-block-paragraph\">Security Copilot customers can use the standalone experience to&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a>&nbsp;or run the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">prebuilt promptbooks<\/a>&nbsp;to automate incident response or investigation tasks related to this threat:&nbsp;&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Incident investigation&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Microsoft User analysis&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Threat actor profile&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Threat Intelligence 360 report based on MDTI article&nbsp;&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Vulnerability impact assessment&nbsp;&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.&nbsp;&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<h3 class=\"wp-block-heading\" id=\"advanced-hunting\">Advanced hunting<\/h3>\n<p class=\"wp-block-paragraph\">Defender XDR customers can run the following queries to identify possible device code phishing related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Validate errorCode 50199 followed by success in 5-minute time interval for the interested user, which suggests a pause to input the code from the phishing email<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"14\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nEntraIdSigninEvents | where ErrorCode in (0, 50199) | summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId, bin(Timestamp, 1h) | where ErrorCodes has_all (0, 50199)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Validate Device code authentication from suspicious IP Ranges<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"12\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nEntraIdSigninEvents | where Call has \u201cCmsi:cmsi\u201d | where IPAddress has_any (\u201c160.220.232.\u201d, \u201c160.220.234.\u201d, \u201c89.150.45.\u201d, \u201c185.81.113.\u201d, \u201c8.228.105.\u201d)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Correlate any URL clicks with suspicious sign-ins that follow with user interrupt indicated by the error code 50199<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"24\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nlet suspiciousUserClicks = materialize(UrlClickEvents | extend AccountUpn = tolower(AccountUpn) | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn);\n\/\/Check for Risky Sign-In in the short time window\nlet interestedUsersUpn = suspiciousUserClicks | where isnotempty(AccountUpn) | distinct AccountUpn;\nEntraIdSigninEvents | where ErrorCode == 0 | where AccountUpn in~ (interestedUsersUpn) | where RiskLevelDuringSignin in (10, 50, 100) | extend AccountUpn = tolower(AccountUpn) | join kind=inner suspiciousUserClicks on AccountUpn | where (Timestamp - ClickTime) between (-2min .. 7min) | project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignin, SessionId, IPAddress, Url\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Monitor for suspicious Device Registration activities that follow the Device code phishing compromise<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"15\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudAppEvents\n| where AccountDisplayName == \"Device Registration Service\"\n| extend ApplicationId_ = tostring(ActivityObjects[0].ApplicationId)\n| extend ServiceName_ = tostring(ActivityObjects[0].Name)\n| extend DeviceName = tostring(parse_json(tostring(RawEventData.ModifiedProperties))[1].NewValue)\n| extend DeviceId = tostring(parse_json(tostring(parse_json(tostring(RawEventData.ModifiedProperties))[6].NewValue))[0])\n| extend DeviceObjectId_ = tostring(parse_json(tostring(RawEventData.ModifiedProperties))[0].NewValue)\n| extend UserPrincipalName = tostring(RawEventData.ObjectId)\n| project TimeGenerated, ServiceName_, DeviceName, DeviceId, DeviceObjectId_, UserPrincipalName\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Surface suspicious inbox rule creation (using applications) that follow the Device code phishing compromise<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"17\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudAppEvents\n| where ApplicationId == \u201c20893\u201d \/\/ Microsoft Exchange Online\n| where ActionType in (\"New-InboxRule\",\"Set-InboxRule\",\"Set-Mailbox\",\"Set-TransportRule\",\"New-TransportRule\",\"Enable-InboxRule\",\"UpdateInboxRules\")\n| where isnotempty(IPAddress)\n| mv-expand ActivityObjects\n| extend name = parse_json(ActivityObjects).Name\n| extend value = parse_json(ActivityObjects).Value\n| where name == \"Name\"\n| extend RuleName = value \/\/ we are extracting rule names that only contains special characters\n| where RuleName matches regex \"^[!@#$%^&amp;*()_+={[}\\\\]|\\\\\\\\:;\"\"',&gt;.?\/~` -]+$\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Surface suspicious email items accessed that follow the Device code phishing compromise<\/strong>.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"8\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nCloudAppEvents\n| where ApplicationId == \u201c20893\u201d \/\/ Microsoft Exchange Online\n| where ActionType == \u201cMailItemsAccessed\u201d\n| where isnotempty(IPAddress)\n| where UncommonForUser has \"ISP\"\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise-ioc\">Indicators of compromise (IOC)<\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"12.5\">\n<tr readability=\"11\">\n<td>The threat actor\u2019s authentication infrastructure is built on well-known, trusted services like Railway.com (a popular Platform-as-a-Service (PaaS)), Cloudflare, and DigitalOcean. By using these platforms, these malicious scripts can blend in with benign Device code authentication. This approach was to ensure it is very difficult for security systems to block the attack without accidentally stopping legitimate business services at the same time. Furthermore, the threat actor compromised multiple legitimate domains to host their phishing pages. By leveraging the existing reputation of these hijacked sites, they bypass email filters and web reputation systems. Indicator<\/td>\n<td>Type<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>160.220.232.0 (Railway.com)<\/td>\n<td>IP Range<\/td>\n<td>Threat actor infrastructure observed with sign-in<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>160.220.234.0 (Railway.com)<\/td>\n<td>IP Range<\/td>\n<td>Threat actor infrastructure observed with sign-in<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>89.150.45.0 (HZ Hosting)<\/td>\n<td>IP Range<\/td>\n<td>Threat actor infrastructure observed with sign-in<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>185.81.113.0 (HZ Hosting)<\/td>\n<td>IP Range<\/td>\n<td>Threat actor infrastructure observed with sign-in<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from\u202fKrithika Ramakrishnan,&nbsp;Ofir Mastor, Bharat Vaghela, Shivas Raina, Parasharan Raghavan, and other members of Microsoft Threat Intelligence.<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/06\/ai-enabled-device-code-phishing-campaign-april-2026\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new wave of device code phishing shows how threat actors are scaling account compromise using AI and end\u2011to\u2011end automation. This campaign goes beyond traditional phishing by generating live authentication codes on demand, enabling higher success rates and sustained post\u2011compromise access.<br \/>\nThe post Inside an AI\u2011enabled device code phishing campaign appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[188],"class_list":["post-60451","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-phishing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/inside-an-ai\u2011enabled-device-code-phishing-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/inside-an-ai\u2011enabled-device-code-phishing-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-06T16:34:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Inside an AI\u2011enabled device code phishing campaign\",\"datePublished\":\"2026-04-06T16:34:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/\"},\"wordCount\":3446,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-2.webp\",\"keywords\":[\"Phishing\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/\",\"name\":\"Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-2.webp\",\"datePublished\":\"2026-04-06T16:34:17+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-2.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/image-2.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Phishing\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/phishing\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Inside an AI\u2011enabled device code phishing campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/inside-an-ai\u2011enabled-device-code-phishing-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/inside-an-ai\u2011enabled-device-code-phishing-campaign\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-06T16:34:17+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Inside an AI\u2011enabled device code phishing campaign","datePublished":"2026-04-06T16:34:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/"},"wordCount":3446,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp","keywords":["Phishing"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/","url":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/","name":"Inside an AI\u2011enabled device code phishing campaign 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp","datePublished":"2026-04-06T16:34:17+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-2.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/inside-an-ai%e2%80%91enabled-device-code-phishing-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Phishing","item":"https:\/\/www.threatshub.org\/blog\/tag\/phishing\/"},{"@type":"ListItem","position":3,"name":"Inside an AI\u2011enabled device code phishing campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60451"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60451\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}