Microsoft tracks AI-enabled device-code phishing campaign

Published: April 6, 2026

Summary

Microsoft documented an active device-code phishing campaign that automates token theft and scales social engineering with AI-assisted workflows. This is globally relevant because it shows how identity abuse is becoming a cross-sector attack path without relying on a software zero-day.

Technical details

Microsoft described dynamic device-code generation at click time, a proxy workflow around /api/device/start/, custom anti-bot handling, clipboard hijacking, and abuse of legitimate authentication flows to obtain tokens after the victim completes MFA-backed authentication.

CVE number

None. This is identity-flow abuse, not a software-vulnerability advisory.

CVSS / severity

No CVSS applies. Operational severity is high because valid access and refresh tokens can be obtained through a legitimate cloud auth path.

Affected software / vendor

Microsoft 365 and Entra ID environments using device-code authentication workflows.

Exploit status

Active campaign observed by Microsoft.

Indicators of compromise

Microsoft reported suspicious device-code sign-ins, error code 50199 followed by successful authentication, suspicious inbox-rule creation, and infrastructure associated with Railway, Cloudflare, and DigitalOcean.

Mitigation / patch information

Restrict or disable device-code flow where feasible, apply Conditional Access, monitor unusual token issuance, and revoke refresh tokens plus force reauthentication on suspected compromise.

Security tools related to detection / mitigation / analysis

Microsoft Defender for Office 365, Defender XDR, Entra ID Protection, SIEM queries over sign-in logs, and cloud-app telemetry review.

Why this matters

This is a big-world trend item: identity systems themselves are becoming the battlefield, and AI is making phishing more adaptive and more scalable even without new malware.

Sources

Microsoft Security Blog, published April 6, 2026.

‍