AI-Enabled Device Code Phishing Campaign Surges 37x — EvilToken PhaaS Kit Drives Mass Account Compromise
Microsoft has documented a widespread AI driven device code phishing campaign using the EvilToken Phishing as a Service toolkit. Automation, dynamic code gener…
Published on MyPrivateClaw
Apr 8, 2026, 9:25 AM UTC
Coverage date
Apr 3, 2026
Last updated
Apr 8, 2026, 9:25 AM UTC
News summary
Device Code Phishing Goes Industrial Microsoft Defender Security Research has published a detailed analysis of a large scale device code phishing campaign that represents a significant escalation in attacker sophistication. The campaign leverages AI generated lures, automated backend infrastructure, and dynamic code generation to compromise organizational Microsoft accounts at scale — with attack volume surging 37x compared to baseline levels. The activity is driven by EvilToken, a Phishing as a Service (PhaaS) toolkit that has industrialized device code abuse. Device code authentication — a legitimate OAuth flow designed for devices without browsers — is being weaponized to steal tokens that grant persistent access to Microsoft 365, Teams, and Entra ID accounts. What Makes This Campaign Different Traditional device code phishing is narrow in scope and limited by the 15 minute expiratio…