Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
No Result
View All Result
Home News Scams & Fraud

Microsoft Reveals AI Phishing Campaign Hitting Hundreds of ORGS Daily

Microsoft uncovers an advanced AI-driven phishing campaign abusing OAuth device code authentication to bypass MFA, automate attacks, and steal access tokens from Microsoft 365 accounts

Saravana Kumar Mahendran by Saravana Kumar Mahendran
April 8, 2026
in Scams & Fraud
0 0
Microsoft Reveals AI Phishing Campaign

Designed By Freepik

Share on FacebookShare on Twitter
MakeCryipCryippreferred onGoogle

Microsoft Defender Security Research has exposed a sophisticated AI-enabled phishing campaign that abuses the OAuth Device Code Authentication flow to steal access and refresh tokens from Microsoft 365 accounts. Threat actors employ generative AI for hyper-personalized lures and full end-to-end automation, bypassing traditional MFA and the standard 15-minute device code expiration through dynamic, on-demand code generation. The operation, powered by the EvilTokens Phishing-as-a-Service toolkit, has compromised hundreds of organizations daily since mid-March 2026, marking a major escalation from earlier manual campaigns.

AI-Driven Attack Chain

Reconnaissance begins 10 to 15 days prior, with actors querying Microsoft’s GetCredentialType API to validate active email addresses in target tenants. Phishing emails, crafted with generative AI for role-specific relevance, use themes such as RFPs, invoices, document sharing, electronic signatures, or voicemail notifications. Victims clicking links encounter multi-stage redirects via compromised legitimate domains and serverless platforms like Vercel, Cloudflare Workers, AWS Lambda, and Railway.com to evade scanners.

On the final landing page, often mimicking a browser-in-the-browser or blurred document preview with a “Verify identity” prompt, a background script sends a real-time POST request to the attackers’ backend. This triggers live device code generation via Microsoft’s official endpoint, displayed alongside an auto-copied code using the JavaScript clipboard API and a redirect button to microsoft.com/devicelogin. A hidden polling mechanism checks status every 3 to 5 seconds using a session identifier, capturing valid tokens immediately upon user authentication on the legitimate site. This dynamic approach ensures the full 15-minute validity window starts only at victim interaction, significantly boosting success rates over static methods.

Escalation from Prior Campaigns

The current activity builds on Storm-2372’s device code phishing observed in February 2025, which relied on manual social engineering via messaging apps and Teams invitations targeting government, defense, and critical infrastructure sectors. In contrast, the 2026 campaign shifts to industrialized automation and AI integration across reconnaissance, lure generation, infrastructure spinning with thousands of short-lived polling nodes on Railway.com, and exploitation. Microsoft links this surge to the emergence of EvilTokens PhaaS in early 2026, enabling criminal actors to scale operations far beyond nation-state efforts like Storm-2372.

Broader threat actor abuse of AI, detailed in a related April 2 Microsoft report, shows generative tools accelerating every attack phase, including 450 percent higher phishing click-through rates via localized messaging and automated payload refinement, while transforming AI systems themselves into new attack surfaces. The device code campaign exemplifies this evolution from AI as a tool to a core enabler of resilient, high-volume credential theft.

Critical Campaign Details

Reconnaissance via GetCredentialType API occurs 10 to 15 days before phishing, followed by 10 to 15 distinct AI-personalized campaigns launching daily since March 15, 2026.
Dynamic device code generation at the final landing page, combined with 3 to 5 second polling and auto-clipboard functionality, circumvents the 15-minute expiration.
Infrastructure heavily abuses serverless platforms such as Vercel, Cloudflare Workers, AWS Lambda, and Railway.com along with compromised domains for redirects and backend operations.
Post-compromise activity focuses on high-value financial and executive personas via Microsoft Graph reconnaissance, new device registration for Primary Refresh Tokens often within 10 minutes, malicious inbox rules, and targeted email exfiltration of wire transfers and invoices.

Related Story

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

July 11, 2026
CodexField on BNB Chain Faces Rug Pull Allegations

BNB Chain Project CodexField Faces Rug Pull Claims After Abnormal Fund Transfers

July 10, 2026
Disclaimer: Cryip is an independent media and research outlet providing news, data, and analysis on the cryptocurrency industry. Content is for informational and research purposes only and does not constitute financial, legal, tax, or investment advice. Cryptocurrency markets are volatile and past performance is not indicative of future results. References to specific assets, platforms, or incidents are for journalistic purposes only and do not imply endorsement, and readers assume full responsibility for their decisions.
Tags: Crypto Scams

Related Posts

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case
Scams & Fraud

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

by Saravana Kumar Mahendran
July 11, 2026

The U.S. Department of Justice is reportedly preparing to dismiss its criminal case against Matthew Goettsche, the alleged creator of...

Read moreDetails
CodexField on BNB Chain Faces Rug Pull Allegations

BNB Chain Project CodexField Faces Rug Pull Claims After Abnormal Fund Transfers

July 10, 2026
Relay Warns of Scam Tokens Disappearing From Wallets on Robinhood Chain

Relay Warns of Scam Tokens Disappearing From Wallets on Robinhood Chain

July 10, 2026
INTERPOL Operation First Light 2026 Leads to 5,811 Arrests in Global Fraud Crackdown

INTERPOL Operation First Light 2026 Leads to 5,811 Arrests in Global Fraud Crackdown

July 9, 2026
AscendEX Shutdown Puts Withdrawal Delays Under Fresh Scrutiny

AscendEX Shutdown Puts Withdrawal Delays Under Fresh Scrutiny

July 9, 2026
Trusted Apps for Cryptocurrency Scams

Why Scammers Target Trusted Apps for Cryptocurrency Scams

July 8, 2026
North Carolina Trader Accused of $14M Crypto and Futures Fraud

CFTC Charges North Carolina Trader in Alleged $14M Crypto and Futures Fraud

July 8, 2026
Next Post
Anthropic Launches Project Glasswing to Test AI Cybersecurity Model Claude Mythos Preview

Anthropic’s AI Finds Decades-Old Zero-Days in Major OSes and Browsers But Isn’t Releasing It Yet: What Does This Mean for Crypto Projects?

SOL Strategies Acquires Darklake Labs for $1.2 Million to Integrate Zero-Knowledge Privacy Technology on Solana

SOL Strategies Acquires Darklake Labs for $1.2 Million to Integrate Zero-Knowledge Privacy Technology on Solana

Recommended

  • All
  • News
Former Meta Engineer Says Quantum Computing and Miner Incentives Are Bitcoin's Biggest Long-Term Risks

Former Meta Engineer Says Quantum Computing and Miner Incentives Are Bitcoin’s Biggest Long-Term Risks

July 11, 2026
Vitalik Buterin Urges Elon Musk to Transform X Into a Platform for AI Governance

Vitalik Buterin Urges Elon Musk to Transform X Into a Platform for AI Governance

July 11, 2026
Ethereum Uses Just 7.87 GWh of Electricity Annually After The Merge, Cambridge Study Finds

Ethereum Uses Just 7.87 GWh of Electricity Annually After The Merge, Cambridge Study Finds

July 11, 2026
DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

July 11, 2026
DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

DOJ Moves to End BitClub Founder’s $722 Million Crypto Fraud Case

July 11, 2026
AI Agents Now Have a New Internet Court to Settle Disputes

AI Agents Now Have a New Internet Court to Settle Disputes

July 10, 2026
Ledger Researchers Disclose Tangem Card Flaw

Ledger Researchers Reveal Laser Flaw in Tangem Cards as Firm Downplays User Risk

July 10, 2026
Circle Receives Final OCC Approval to Launch National Trust Bank

Circle Wins Federal Approval to Launch Regulated Digital Asset Trust Bank

July 10, 2026

Cryip focuses on crypto research and on-chain analysis, supported by coverage of markets, regulation, security events, and blockchain ecosystems.

Recent Posts

  • BingX launches the BingX Visa Debit Card, bridging digital assets and everyday payments
  • Bonzo Lend Oracle Exploit Triggers Cross-Chain Fund Transfers on Hedera
  • Former Meta Engineer Says Quantum Computing and Miner Incentives Are Bitcoin’s Biggest Long-Term Risks

Categories

  • AI × Crypto
  • Data & Dashboards
  • DeFi Basics
  • Investing Basics
  • Market & Price
  • Market Updates
  • On-Chain Analysis
  • OpSec
  • Policy & Regulation
  • Post Mortems
  • Press Release
  • Reports
  • Scams & Fraud
  • Security & Hacks
  • Stablecoins
  • Tokenomics
  • VC & Funding
  • Wallets & Custody

Company

  • About Us
  • Contact Us
  • Editorial Standards & Integrity
  • Our Team
  • Privacy Policy
  • Review Methodology
  • Terms and Conditions
  • Trust, Disclosures & Independence

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.