Microsoft Warns of AI-Driven Device-Code Phishing Taking Over Accounts Daily

Overview

• Microsoft says ongoing campaigns are compromising hundreds of organizations each day across sectors worldwide.
• The scheme exploits OAuth’s device code login by tricking users to enter a short code at the real Microsoft site, which authorizes the attacker’s session without needing the victim’s password.
• Attackers spend 10–15 days on reconnaissance, using the GetCredentialType API to confirm active accounts, then send AI-tailored lures such as invoices, RFPs, and voicemail notices.
• Redirect chains through compromised domains and trusted serverless hosts end on a page that generates a live device code, stretching the usual 15‑minute limit and yielding an access token once the user completes MFA.
• After entry, intruders often register a device to get a long‑lived refresh token, set inbox rules, and auto‑exfiltrate finance emails, and Microsoft urges blocking device‑code flow where possible along with stronger training and monitoring.