Your MFA Just Got Bypassed — By a Machine

For years, multi-factor authentication has been the line you draw in the sand. Password compromised? Fine — the attacker still needs that second factor. Device code phishing has been chipping away at that assumption for a while, but the attacks were manual, clunky, and small-scale. A researcher here, a targeted group there.

That era is over.

Microsoft Defender Security Research has published detailed findings on a widespread phishing campaign that leverages the device code authentication flow at industrial scale — and it is driven end-to-end by AI and automation. The enabler: a phishing-as-a-service toolkit called EvilTokens.

The Device Code Flow — and Why It Breaks

Device code authentication was designed for devices without proper interfaces — smart TVs, printers, IoT things. The flow is simple: a device shows you a short code, you visit microsoft.com/devicelogin on your phone or computer, enter the code, and authenticate. The device gets a token.

The vulnerability is structural. Authentication happens on a separate device from the one requesting access. The session requesting the token is not strongly bound to the user who authenticated. Attackers exploit this decoupling: they initiate the device code flow, then trick you into entering the code on the legitimate Microsoft login page. You authenticate. They get the token. Your MFA? You just satisfied it yourself — for them.

What Makes This Campaign Different

Previous device code phishing was artisanal. Manual scripts, narrow targeting, limited scope. EvilTokens changes the game in four ways:

1. Dynamic Code Generation Beats the Clock

Device codes expire in 15 minutes. Old-school attacks had a problem: generate the code too early, and it expires before the victim clicks. Generate it too late, and there is no code to show. EvilTokens solves this with automation. The device code is generated at the exact moment the user clicks the phishing link. The code is fresh, valid, and waiting. The 15-minute window is no longer a constraint — it is a feature the attacker exploits.

2. AI-Personalized Lures

Generative AI crafts phishing emails tailored to the victim's role. RFP templates for procurement staff. Invoice alerts for finance. Manufacturing workflow notifications for operations. The emails do not look like phishing because they are not generic — they are scoped to what you actually do. This is not your Nigerian prince. This is a colleague who seems to know your job.

3. Serverless Infrastructure at Scale

Threat actors used platforms like Railway.com to spin up thousands of short-lived polling nodes. Redirect chains run through Vercel, Cloudflare Workers, and AWS Lambda — domains that blend into normal enterprise cloud traffic. Domain blocklists cannot keep up because the infrastructure is ephemeral by design. Every campaign spins fresh. Every URL is new.

4. Automated Post-Compromise Reconnaissance

Once a token is captured, automation takes over. The system queries Microsoft Graph to map organizational structure, identify high-value targets (finance, executives), and create malicious inbox rules for persistence. Stolen tokens are used to set up forwarding rules that hide the attacker's activity from the victim. The window between initial compromise and full organizational mapping? Measured in minutes.

The Full Attack Chain

Here is how a single compromise unfolds:

  1. Reconnaissance (Day -15 to Day -10): The threat actor verifies target email validity using the GetCredentialType endpoint. They know your account exists and is active before they ever email you.
  2. Delivery: A hyper-personalized email arrives. It references an RFP, an invoice, or a shared document. It contains a URL or attachment.
  3. Redirect Chain: Clicking the link routes through 2-3 compromised or serverless domains — Vercel, Cloudflare Workers, AWS Lambda — before reaching the final landing page. URL scanners never see the destination.
  4. Landing Page: A browser-in-the-browser technique renders what appears to be a Microsoft login window. Or a blurred document preview with a "Verify identity" button. The device code is displayed.
  5. Code Entry: The victim visits the real microsoft.com/devicelogin and enters the code. They authenticate with MFA. Everything looks legitimate — because parts of it are legitimate.
  6. Token Capture: The attacker's polling node receives the token. The 15-minute timer has not even come close to expiring.
  7. Persistence: Malicious inbox rules are created. Emails are redirected. Microsoft Graph is queried for lateral movement opportunities.

Why Traditional Defenses Fail

The uncomfortable truth: most of what this campaign does looks legitimate to security tools.

  • URLs point to real Microsoft domains — because the victim is authenticating on the real Microsoft login page.
  • Redirects use trusted platforms — Vercel, Cloudflare, AWS are not suspicious domains.
  • Emails are personalized — AI-generated content passes heuristics that flag generic phishing templates.
  • Infrastructure is ephemeral — by the time a domain is flagged, the campaign has moved on.

The entire attack exploits the trust model that enterprise security is built on. You trust Microsoft's login page. You trust cloud platforms. You trust emails that reference your actual work. Every layer of trust is weaponized.

What You Can Actually Do

There is no silver bullet, but there are concrete steps that raise the cost of this attack significantly:

  • Restrict device code flow: If your organization does not use device code authentication for IoT or limited-interface devices, disable it via Conditional Access policies. Most organizations never need it.
  • Monitor for anomalous inbox rules: Automated creation of forwarding rules or rules that move/delete messages from specific senders is a red flag. Set up alerts for this in Microsoft 365.
  • Token correlation alerts: If a device code token is redeemed from an IP or location that does not match the user's normal pattern, that is suspicious. Microsoft Defender for Identity can surface these anomalies.
  • Train for the specific pattern: Traditional phishing training focuses on password theft. This attack never asks for a password. Train users that entering a code on a Microsoft login page after clicking a link is the new high-risk behavior.
  • Enforce token protection policies: Microsoft's token protection (session controls) can bind tokens to specific devices, reducing the utility of stolen tokens.

The Bigger Picture

EvilTokens is not an isolated tool. It is a symptom of the industrialization of phishing. When AI can personalize lures at scale, when serverless platforms provide disposable infrastructure, and when legitimate authentication flows can be weaponized — the economics of phishing shift. The cost per compromised account drops. The success rate climbs. The attacker does not need to be smarter than your security team. They just need to be faster than your alerting pipeline.

The device code flow was designed for convenience. Like so many security tradeoffs, convenience has a cost. The question is no longer whether MFA can be bypassed — it is whether your organization can detect and respond when it is.

Because the machine that just phished your finance director? It did not even pause to celebrate.