A sophisticated phishing campaign is actively targeting Microsoft 365 accounts at more than 340 organizations across Canada, the United States, Australia, New Zealand, and Germany, using a technique called device code phishing to capture authentication tokens that persist even after a password reset. Security researchers first detected the attacks on February 19, 2026, and the pace has accelerated sharply since then. The campaign exposes a critical gap in security awareness training: employees are being manipulated through a legitimate Microsoft authentication flow they have never been taught to question.
How Device Code Phishing Works
Device code authentication is a legitimate Microsoft feature built for devices that cannot easily display a browser login page, such as smart TVs, command-line tools, and shared kiosk terminals. The flow generates a short numeric code and directs the user to enter it at microsoft.com/devicelogin on a separate device to complete sign-in. Most Microsoft 365 users never encounter this flow during normal work, which is exactly the gap attackers are exploiting.
In this campaign, threat actors send employees a phishing email containing a device code generated by the attackers themselves. When the victim visits the genuine Microsoft login page and enters that code, they unknowingly grant the attacker OAuth access tokens tied to their account. According to the Cloud Security Alliance, those tokens remain valid even after the victim resets their password, meaning a single moment of confusion gives attackers long-term, persistent access with nothing left to revoke.
Why Standard Defenses Do Not Catch This
Because victims authenticate on a real Microsoft page, browser-level phishing warnings and security plugins do not fire. Spam filters face an equally difficult challenge: the phishing emails are routed through legitimate redirect services operated by Cisco, Trend Micro, and Mimecast, making them appear to come from trusted security vendors. Multi-factor authentication offers no protection either, because the victim completes MFA as part of entering the device code, handing the attacker a fully authenticated session token.
Huntress researchers attribute this campaign to EvilTokens, a phishing-as-a-service platform that launched on Telegram in February 2026. EvilTokens packages the lure templates, infrastructure, and token-harvesting engine into a ready-to-deploy kit, which explains how more than 340 organizations across eight sectors were hit in under five weeks. Earlier waves of device code phishing were tied to Russian state-aligned groups including Storm-2372 and APT29, but commercialization has expanded the threat pool far beyond state actors.
Who Is Being Targeted
The campaign has reached organizations across construction, financial services, healthcare, legal, government, nonprofits, manufacturing, and real estate. Lures include fake construction bid invitations, DocuSign document requests, voicemail notification emails, and Microsoft Forms pages prompting identity verification. The range of lures suggests EvilTokens operators are adapting their messages to each target sector rather than blasting a generic template.
The Canadian dimension is particularly relevant. Credential-stealing phishing attacks against Canadian organizations rose 27 percent between 2023 and 2024, according to the National Cyber Threat Assessment 2025-2026 from the Canadian Centre for Cyber Security. Device code phishing is a new lure type that most Canadian employees have never encountered, which is precisely what makes it effective right now.
What Your Organization Needs to Do
Device code phishing works because it exploits an authentication flow that falls entirely outside most employees’ frame of reference. Standard training focused on suspicious links and grammar mistakes will not prepare people to recognize this attack. Organizations running regular phishing simulations that rotate in novel attack types, rather than recycling the same credential-harvesting templates each quarter, give employees the pattern recognition they need before a real lure arrives.
The most important message for staff is straightforward: Microsoft does not send unsolicited emails asking you to enter a numeric code at microsoft.com/devicelogin. Any such request, regardless of which brand name appears in the sender field, should be treated as an attack and reported immediately. Building a cybersecurity culture where employees feel safe questioning unusual authentication requests, rather than silently complying, is as important as any technical control your IT team deploys.
On the technical side, administrators can use Azure Active Directory Conditional Access policies to disable device code authentication for users who have no legitimate need for it. IT teams should audit sign-in logs for activity originating from Railway infrastructure, which Huntress identified as the source of approximately 84 percent of observed attack traffic in this campaign, and revoke refresh tokens for any accounts showing suspicious events. For a deeper look at how this category of attack operates, the cybersecurity consulting team at POPP3R can assess whether your current controls and training program cover device code and OAuth-based phishing scenarios.
Sources
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse – The Hacker News
- OAuth Device Code Phishing Hits 340+ Microsoft 365 Organizations – Cloud Security Alliance
- National Cyber Threat Assessment 2025-2026 – Canadian Centre for Cyber Security
- Device Code Phishing Campaign Analysis (Huntress attribution) – GuardianMSSP
