Device Code Phishing in 2026: How EvilTokens Bypasses MFA and Hijacks Microsoft 365 Accounts

Disclaimer: This article is for educational and defensive cybersecurity purposes only. The techniques described are publicly documented by Microsoft, Sekoia, Barracuda, and Huntress. If you suspect your Microsoft 365 account has been compromised, contact your IT/security team immediately or call Microsoft Support. For incident reporting, see CISA's reporting page.

The 7 Million Attack Wave Most People Haven't Heard Of

Between mid-March and mid-April 2026, Barracuda's email security team flagged more than 7 million device code phishing attempts in just four weeks (Barracuda Threat Spotlight, April 23, 2026). Microsoft's own telemetry, published April 6, 2026, observed 10 to 15 distinct campaigns per day launching since March 15, each one fanning out to hundreds of organizations (Microsoft Security Blog). The Cloud Security Alliance counted 340+ confirmed M365 organizations compromised across five countries since February (The Hacker News, March 2026).

What makes this campaign different from the usual "click-this-link" phishing chatter? The attackers don't ask for your password. They don't even need it. They convince you to type a six-character code into Microsoft's real sign-in page, and that single keystroke hands them an authenticated session that survives password resets and standard multi-factor authentication.

I'm Fanny Engriana. Across the 50+ enterprise projects we've shipped at Warung Digital Teknologi over the last 11+ years — including Smart HR Payroll deployments, Hotel Management Suite installs, and the Smart POS rollouts where some clients use Microsoft Entra ID for SSO — Conditional Access for OAuth 2.0 device code flow has shifted from "nice to have" to a non-negotiable line item. Here's why, and exactly what you need to do this week if you, your family, or your team uses Microsoft 365.

What Device Code Phishing Actually Is

OAuth 2.0's device code flow was designed for a real problem: how do you log a smart TV, a printer, or an Xbox into your Microsoft account when typing a 16-character password with a TV remote is impractical? The solution: the device shows you a short code, you go to microsoft.com/devicelogin on your phone, type the code, approve it, and the device gets a token.

That flow is RFC 8628. It is legitimate, signed by Microsoft, and used every day by millions of people for valid reasons.

The attack inverts the trust assumption. Instead of your smart TV requesting a code, the attacker requests one from Microsoft's authentication server. The attacker then sends you a phishing email — disguised as a Microsoft Teams meeting invite, a procurement RFP, an invoice, or a "code of conduct" policy update — that nudges you to "verify your identity" by entering the code at microsoft.com/devicelogin.

You are typing a real code into a real Microsoft page. There is no fake login form. There is no spoofed domain. Your browser shows a valid certificate. You complete MFA, because Microsoft's prompt is genuine. The moment you click "Continue," the access token and refresh token are delivered to the attacker's polling backend.

From that point, the attacker has a session that:

• Survives a password change (the refresh token remains valid until explicitly revoked)
• Bypasses standard SMS, voice, or app-based MFA (you already approved it for them)
• Can read your email, OneDrive, SharePoint, Teams chats, and call the Microsoft Graph API on your behalf
• Can register a new device under your identity, creating a long-term backdoor

Why the 2026 Variant Is Worse: EvilTokens, Dynamic Codes, and AI Lures

Device code phishing isn't new — Microsoft attributed the original Storm-2372 campaign to a Russia-aligned actor in February 2025. What changed in 2026 is industrialization.

EvilTokens phishing-as-a-service. Sekoia's threat intel team identified EvilTokens as a turnkey kit sold under a PhaaS subscription model since mid-February 2026. Buyers get pre-built lure templates, hosting on legitimate platforms (Vercel, Cloudflare Workers, AWS Lambda, Railway.com), and a polling backend that spins up "thousands of unique, short-lived polling nodes" (Microsoft).

Dynamic code generation defeats the 15-minute window. Microsoft device codes expire after 15 minutes. In 2025-era attacks, defenders could often catch the lure before the victim clicked. EvilTokens fixed that. Microsoft's April 6 write-up explains it directly: "the 15-minute countdown only begins the moment the victim clicks the phishing link." Codes are generated at the final redirect, so by the time a SOC sees the lure, the clock has only just started for whoever clicks next.

AI-generated, role-aware lures. Generative AI builds personalized emails matched to the recipient's role — RFPs for procurement managers, manufacturing workflow updates for plant managers, board-meeting agendas for executives. Microsoft notes the AI is also used to draft realistic browser-in-browser overlays that mimic the legitimate Microsoft Entra login window pixel-for-pixel.

Clipboard hijacking for one-click victimization. Some EvilTokens variants automatically copy the device code to the victim's clipboard, so when the victim arrives at the real Microsoft page they only need to paste — no manual code entry, no second-thoughts pause.

Who's Being Targeted

According to Microsoft, Huntress, and Sekoia, confirmed verticals include construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government. The Cloud Security Alliance research note (March 25, 2026) confirms five countries: United States, United Kingdom, Germany, Australia, and the Netherlands.

That list shouldn't lull anyone. The attackers are running 10-15 campaigns per day. The targeting is broad. If you have an M365 mailbox — personal, family, business, or education tier — you are within scope.

Five Concrete Defenses for Microsoft 365 Users

This is the part the marketing blogs skip. Generic advice ("use MFA!") doesn't help against an attack that already bypasses MFA. Here's what actually moves the needle.

1. Block Device Code Flow with Conditional Access (Business / Education Tenants)

If you have a Microsoft 365 Business Standard tier or higher, you have access to Conditional Access policies. Create a policy that blocks the device code authentication flow for all users who don't legitimately need it (almost nobody on a laptop does — it's for TVs, printers, and headless devices).

In the Entra admin portal: Protection > Conditional Access > New policy > Conditions > Authentication flows > Device code flow > Block. Microsoft's official guide is at learn.microsoft.com.

When I configured this for a client running Smart HR Payroll on Entra ID-backed SSO last month, the rollout took under 30 minutes including a pilot ring. We saw zero false positives because the only legitimate device-code consumer in their stack was a single conference-room display, which we exempted by group membership.

2. Switch From SMS / Authenticator-Approval to Phishing-Resistant MFA

Standard MFA — SMS codes, voice calls, push approvals in Microsoft Authenticator — does not stop device code phishing. The user voluntarily approves the legitimate prompt because the prompt is legitimate.

Phishing-resistant MFA does stop it, because it cryptographically binds the authentication to the origin domain:

• Passkeys (FIDO2/WebAuthn) — supported in Microsoft Authenticator since 2024, recommended by NIST SP 800-63B
• Hardware security keys — YubiKey 5, Google Titan, or any FIDO2 device
• Windows Hello for Business with TPM-backed attestation

For practical guidance on enabling passkeys, see CISA's MFA primer.

3. Enable Continuous Access Evaluation and Token Protection

Microsoft's Continuous Access Evaluation (CAE) tells Entra to revoke tokens within minutes of a risk signal — sign-in from a new country, password reset, suspicious device registration. CAE is on by default in newer tenants but worth verifying. Pair it with Token Protection (preview in 2026) which binds the refresh token to the original device's TPM, defeating the "exfiltrate token, replay from attacker infrastructure" pattern that EvilTokens depends on.

4. For Personal / Family M365 Accounts: Three Habits That Cost Nothing

Conditional Access requires a paid business tier. If you're on a personal or Microsoft 365 Family subscription, here's the no-cost playbook:

• Treat every "verify your identity with this code" email as hostile. Microsoft will not email you a 6-character code and ask you to type it on devicelogin. Real device-code prompts originate from a device you are setting up, in the same room with you.
• Check active sessions monthly. Visit account.microsoft.com/security > "Recent activity." Unknown devices, foreign IPs, or unfamiliar app authorizations are sign you've lost control. From the same panel, sign out everywhere.
• Add a passkey to your Microsoft account. Personal accounts support passkeys via the Microsoft Authenticator app. Setup takes under five minutes. Once enabled, even if attackers somehow capture a session, future sign-ins on new devices require your phone's biometric — and the binding is cryptographic, not prompt-based.

5. Watch for the Three Indicators of a Compromised Account

Microsoft and Huntress published a consistent set of post-compromise behaviors that EvilTokens operators perform within minutes of a successful token theft. If you see any of these, assume compromise and rotate credentials immediately:

• New inbox rules that auto-forward, auto-delete, or move incoming mail to "RSS Feeds" or "Conversation History" — these hide attacker replies from you
• A new registered device in account.microsoft.com/devices that you don't recognize, often with a name like "BrowserExtension" or a generic Windows hostname
• OAuth app consents granting broad Mail.Read, Files.Read.All, or User.Read.All permissions to apps you didn't install — visible at myapplications.microsoft.com

If You Already Clicked: Recovery Sequence

Speed matters. Refresh tokens stay valid for up to 90 days by default, and an attacker with a refresh token can mint new access tokens long after you change your password. Standard "reset password and re-enroll MFA" is not enough.

The Microsoft-recommended sequence (from the April 6, 2026 advisory):

1. Disable the user account temporarily in Entra (or pause the personal account through account.microsoft.com if you're on a consumer tier). This is more aggressive than a password reset and is the only way to immediately invalidate active refresh tokens.
2. Revoke all sessions via Revoke-AzureADUserAllRefreshToken (PowerShell) or the Entra admin portal "Revoke Sessions" button.
3. Rotate the password to a new, unique value. Use a password manager.
4. Re-enroll MFA with a phishing-resistant method (passkey or hardware key).
5. Audit and remove any inbox rules, registered devices, and OAuth consents you don't recognize.
6. Re-enable the account.
7. Run a 30-day audit log review for sign-ins, file accesses, and email sends from the compromised account. For business tenants, Purview eDiscovery or the unified audit log is the right tool.

If financial fraud, identity theft, or wire transfer manipulation occurred, file a report with the FBI's Internet Crime Complaint Center (IC3) within 72 hours and notify your bank.

FAQ

Does this affect Outlook personal accounts (outlook.com, hotmail.com, live.com)? Yes, partially. The same OAuth 2.0 device code flow is used for consumer accounts, though the targeting in 2026 has primarily focused on business tenants where the post-compromise payoff (lateral movement, business email compromise, wire fraud) is higher.

Will my antivirus catch this? No. There's no malicious file, no malicious domain, and no exploit. The entire attack happens on legitimate Microsoft infrastructure. Endpoint protection is the wrong layer; identity protection is the right layer.

Are passkeys really immune? Passkeys use origin binding — the cryptographic challenge is tied to login.microsoftonline.com. An attacker cannot replay a passkey response on a different origin or trick you into approving one for an attacker's session, because the request originates from their device, not yours. NIST SP 800-63B classifies FIDO2/WebAuthn as the highest-assurance MFA method (AAL3).

I work for a small business with 10 users on Microsoft 365 Business Basic. We don't have an IT team. What's the minimum? Three things, in this order: (1) enable passkeys for every user this week, (2) sign out all sessions globally to flush any pre-existing tokens, (3) upgrade one license to Business Standard or Premium so you can apply Conditional Access tenant-wide — Premium licenses are not required per user, only one to activate the policy engine.

The Bottom Line

Device code phishing in 2026 is not a knowledge gap; it's a configuration gap. Microsoft, Sekoia, Huntress, Barracuda, and CISA have all published the technique, the indicators, and the fixes. The 340+ confirmed victim organizations weren't unaware of phishing — they were running tenants where device code flow was reachable and where MFA was approval-based instead of cryptographically bound.

From 11+ years building production systems for clients on Hostinger, Microsoft Azure, Vercel, and self-hosted Entra deployments, my honest take is this: the era of approval-based MFA as a primary defense ended somewhere between Storm-2372 (Feb 2025) and EvilTokens (Feb 2026). If you're in a position to push your team, family, or organization to passkeys this quarter, do it. The 30 minutes of rollout work is the cheapest insurance you'll buy this year.

For ongoing CVE alerts and patch guidance, the U.S. Cybersecurity and Infrastructure Security Agency maintains the Known Exploited Vulnerabilities Catalog, updated weekly. Microsoft's Security Response Center publishes attack-pattern bulletins at msrc.microsoft.com.

Educational content only. CyberShieldTips is not affiliated with Microsoft, Barracuda, Sekoia, Huntress, or CISA. Always validate security configuration changes in a test ring before production rollout.