{
  "name": "Inside an AIenabled device code phishing campaign",
  "slug": "inside-an-aienabled-device-code-phishing-campaign",
  "description": "Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the Device Code Authentication flow to compromise organizational accounts at scale. While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse.",
  "published": "2026-04-06T18:28:10+00:00",
  "created_at": "2026-04-06T18:28:10+00:00",
  "modified_at": "2026-04-06T19:48:49+00:00",
  "created_at_opencti": "2026-04-06T18:28:10+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-06",
    "phishing"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "036f5968-72ae-48aa-8819-ebbac1b7dd4e",
        "name": "EvilToken",
        "slug": "eviltoken"
      }
    ],
    "attack_patterns": [
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "a7b2-c9d4.office-verify.net"
      },
      {
        "id": "",
        "name": "office365-login.com"
      },
      {
        "id": "",
        "name": "portal-azure.com"
      }
    ]
  },
  "external_refs": [
    "https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/",
    "https://otx.alienvault.com/pulse/69d4175ab0f5278eae91f1cf"
  ]
}