Device Code Phishing Hits 340+ Organisations — Block OAuth Device Flow in Microsoft 365 Today

Published: 28 March 2026 | Reading time: 10 minutes | Author: AyeTech Cyber Security Team

ACTION REQUIRED: Block Device Code Flow Now

A commoditised Phishing-as-a-Service platform called EvilTokens is actively targeting Australian organisations using OAuth device code phishing. MFA does not stop this attack. If your business runs Microsoft 365, contact AyeTech today to block this attack vector — it takes five minutes per tenant.

Key Takeaways

  • 340+ organisations compromised: across AU, NZ, US, CA, and DE as of March 23, 2026 — with 113 additional attempts blocked by Huntress alone
  • MFA is completely bypassed: The victim authenticates on the real Microsoft login page and completes MFA themselves — the attacker just harvests the resulting tokens
  • Tokens survive password resets: Changing your password does not revoke OAuth refresh tokens — attackers maintain access until tokens are explicitly revoked
  • Commoditised attack: Originally a Russian state technique (Storm-2372), now sold as a service on Telegram since February 2026
  • One Conditional Access policy blocks it: Blocking device code flow in Entra takes five minutes and is the definitive fix

What Is Device Code Phishing?

Device code authentication is a legitimate Microsoft feature designed for devices that don't have a browser or keyboard — think smart TVs, IoT sensors, and conference room displays. Instead of typing a password directly, the device shows a short code and tells you to visit microsoft.com/devicelogin on another device, enter the code, and authenticate there.

Attackers have weaponised this flow. Instead of a device generating the code, the attacker generates it and sends it to the victim via a phishing email. When the victim enters the code and authenticates (including completing MFA), the attacker receives the resulting OAuth tokens and gains full access to the victim's Microsoft 365 account.

This technique was first observed in mid-2024 as a Russian state-sponsored campaign tracked by Microsoft as Storm-2372. In February 2026, a Phishing-as-a-Service platform called EvilTokens appeared on Telegram, making this attack available to anyone willing to pay. The result: 340+ confirmed compromises across five countries, with Australia among the hardest hit.

340+ Organisations Compromised
113 Additional Attempts Blocked (Huntress)
5 min To Deploy the Fix Per Tenant
Feb 2026 EvilTokens PhaaS Launched

How the Attack Works Step by Step

Understanding the attack chain is important because it explains why traditional defences fail and why the Conditional Access block is the only reliable countermeasure.

  1. Phishing Email Arrives The victim receives an email using familiar lures: DocuSign signature requests, voicemail notifications, construction bid documents, or Microsoft Forms. These are crafted to look routine and urgent.
  2. Legitimate Redirect Services Hide the Malicious URL The phishing link is wrapped inside legitimate URL redirect services from Cisco (Secure Email), Trend Micro, and Mimecast. Because these are trusted domains, spam filters and email gateways pass them through.
  3. Multi-Hop Redirect Chain Clicking the link triggers a chain of redirects through compromised websites, then to Cloudflare Workers, then to Vercel, before finally landing on the attacker's page. Each hop makes detection harder.
  4. Attacker Landing Page Displays a Device Code The landing page shows a pre-generated Microsoft device code and instructs the victim to visit microsoft.com/devicelogin and enter it. This is the real Microsoft site — not a fake.
  5. Victim Authenticates and Completes MFA The victim enters the code on the genuine Microsoft login page, types their password, and completes their normal MFA challenge (push notification, authenticator code, whatever they use). They believe they are authorising a legitimate action.
  6. Attacker Receives OAuth Tokens Behind the scenes, the attacker's infrastructure (hosted on Railway.com PaaS) is polling Microsoft's device code endpoint. The moment the victim completes authentication, the attacker receives OAuth access and refresh tokens for that user's account.
  7. Persistent Access — Survives Password Reset The attacker now has refresh tokens that persist even if the victim changes their password. The attacker can access email, files, Teams, SharePoint — everything the victim can access — until the tokens are explicitly revoked.

Why MFA Does Not Help

This is the critical point that makes device code phishing different from traditional credential theft.

MFA Is Bypassed by Design

In a traditional phishing attack, the attacker presents a fake login page and tries to capture or relay the victim's credentials and MFA token. Defences like phishing-resistant FIDO2 keys can detect the fake domain and refuse to authenticate.

Device code phishing is different. The victim authenticates on the real Microsoft login page. They complete the real MFA challenge. There is no fake page for phishing-resistant MFA to detect. The attacker never touches the authentication process — they simply receive the resulting tokens after the victim completes it.

This means MFA — including hardware security keys and passkeys — does not prevent this attack. The only effective control is blocking the device code authentication flow entirely.

Why Password Resets Don't Help Either

When an account is compromised via device code phishing, the attacker holds OAuth refresh tokens. These tokens are independent of the user's password. Changing the password does not invalidate existing tokens. The attacker maintains access until you explicitly revoke all refresh tokens via the Entra admin portal or PowerShell.

Not sure if your environment is blocking device code flow? Contact AyeTech or call 02 9188 8000 — we can check your Conditional Access policies in minutes.

Who Is Being Targeted in Australia

The EvilTokens campaign is not targeting a single industry. Based on reporting from Huntress and the Cloud Security Alliance, the following Australian sectors have been targeted:

Construction Sector Targeted
Healthcare Sector Targeted
Legal Sector Targeted
Government Sector Targeted

Additional sectors include financial services, non-profits, real estate, and manufacturing. The breadth of targeting indicates this is an opportunistic, volume-based campaign — not a precision operation aimed at a specific industry.

If you run Microsoft 365, you are a potential target regardless of your sector or size.

Not Sure If Your Business Is Protected?

AyeTech has already blocked this attack across all managed Microsoft 365 tenants. If you are not an AyeTech client, your environment may still be vulnerable. Book a free Microsoft 365 security check or call 02 9188 8000 and we will tell you in minutes whether you are exposed.

Indicators of Compromise to Hunt For

If you want to determine whether your environment has already been targeted or compromised, look for these indicators in your Entra sign-in logs and email gateway logs.

Indicator Detail
Railway.com IPs Five attacker IPs identified, three account for ~84% of polling traffic. Check Entra sign-in logs for Railway.com IP ranges
API Endpoints /api/device/start and /api/device/status/ paths on landing pages
HTTP Header Non-standard X-Antibot-Token header in requests
User-Agent (iOS) iPhone OS 18_7 paired with Version/26.3 — iOS 26 does not exist yet. High-fidelity detection signal
User-Agent (Linux) X11; Linux x86_64 from cloud IPs — Railway container OS leaking through
MITRE ATT&CK T1566.002 (Spearphishing Link) and T1528 (Steal Application Access Token)

The spoofed iOS user-agent is particularly useful for detection. An authentication request claiming to come from iPhone OS 18_7 running Version/26.3 of Safari is fabricated — that version of iOS does not exist. If you see this in your sign-in logs, investigate immediately.

How AyeTech Responded — Blocked Across All Managed Tenants

Proactive Protection Before the First Phishing Email Landed

AyeTech manages Microsoft 365 environments for businesses across Australia. When the EvilTokens campaign was identified, here is what we did:

  1. Threat Intelligence Detection AyeTech's security team monitors threat intelligence feeds, vendor advisories, and industry reporting continuously. The EvilTokens device code phishing campaign was flagged as a priority threat as soon as Huntress published their analysis.
  2. Immediate Conditional Access Deployment We deployed the device code flow block via Conditional Access across all managed Microsoft 365 tenants. The policy was rolled out within hours of the threat being confirmed — before any known phishing email from this campaign reached our managed environments.
  3. Sign-In Log Audit We ran the KQL detection query across every managed tenant, reviewing 30 days of sign-in logs for any device code authentication from suspicious sources. No compromise indicators were found in any AyeTech-managed environment.
  4. Client Communication Every managed client was notified of the threat and the protective action taken. Clients received a clear explanation of the attack, why MFA does not prevent it, and confirmation that their environment was already protected.

Result: All AyeTech-managed Microsoft 365 tenants had device code flow blocked before any client was impacted by this campaign.

Why This Matters for Self-Managed Environments

If you are managing your own Microsoft 365 environment:

  • You may not monitor threat intelligence feeds that would alert you to this campaign
  • You may not know that device code flow exists, let alone that it needs to be blocked
  • You may not have the Entra ID licensing or expertise to configure Conditional Access policies
  • You may not know how to audit sign-in logs for compromise indicators
  • You may already be compromised and not know it — because the attacker is using legitimate tokens that look like normal activity

This is why managed IT exists. The difference between a managed and self-managed environment in this scenario is the difference between being protected before the attack arrives and discovering the breach weeks later when a BEC payment goes to the wrong bank account.

What Needs to Happen to Protect Your Business

Blocking this attack requires multiple coordinated actions across your Microsoft 365 environment. This is not a single setting you can toggle — it requires Entra ID expertise, the right licensing, and the tools to verify it was done correctly.

  1. Block Device Code Flow in Conditional Access A specific Conditional Access policy must be configured in Entra ID to block the device code authentication flow for all users. This is the kill switch that prevents the attack entirely. It requires Entra ID P1 licensing and knowledge of how authentication flows, exclusion groups, and break-glass accounts interact. Get it wrong and you lock out legitimate users. Miss an exclusion and you leave a gap.
  2. Audit 30 Days of Sign-In Logs for Compromise Even after deploying the block, you need to check whether device code authentication has already been used in your environment. This means querying Entra sign-in logs with specific filters for the deviceCode authentication protocol, cross-referencing against known attacker IP ranges, and interpreting the results. Most businesses do not have Microsoft Sentinel or Log Analytics configured to run these queries.
  3. Revoke Tokens for Any Compromised Accounts If compromise is detected, resetting the password is not enough — OAuth refresh tokens must be explicitly revoked. Then you need to audit mail forwarding rules, check for malicious OAuth app consents, review newly registered devices, and inspect inbox rules the attacker may have created to hide their activity. Missing any of these steps means the attacker retains access or leaves behind a backdoor.
  4. Harden Email Filtering Against Redirect Abuse The phishing emails in this campaign bypass email security by wrapping malicious URLs inside legitimate redirect services from well-known vendors. Your email gateway configuration needs to be reviewed to ensure these redirect chains are detected and blocked, not trusted.
  5. Verify Microsoft-Managed Policies Microsoft may have auto-deployed a managed Conditional Access policy under the Secure Future Initiative — but it may be set to "Report-only" mode, which logs events without actually blocking them. This needs to be checked and enforced.

This Is Not a DIY Task

Each of these steps requires specific Microsoft 365 security expertise, the right admin access, and the right licensing tier. A misconfigured Conditional Access policy can lock users out of their accounts. A missed compromise indicator means the attacker is still in your environment reading your email.

AyeTech has already completed all of these steps across every managed tenant. If you are not sure whether your environment is protected, contact us today and we will check for you.

Why You Cannot Do This Alone

Device code phishing is a perfect example of why self-managing Microsoft 365 is a risk most businesses cannot afford. Consider what happened in this scenario:

AyeTech-Managed Business Self-Managed Business
Threat detected within hours of publication May never hear about the campaign
Device code flow blocked across all tenants same day Does not know device code flow exists
30-day sign-in log audit completed proactively Does not have the tools or expertise to query logs
Client notified with clear explanation Discovers breach weeks later when a BEC payment goes to the wrong bank account
Zero impact from this campaign Average BEC loss: $64,000 (ACSC)

This campaign hit 340+ organisations. The ones that were protected had IT providers watching the threat landscape and deploying countermeasures before the phishing emails arrived. The ones that were compromised were managing their own environments and had no idea this attack vector existed.

What AyeTech Does for Every Managed M365 Tenant

  • 24/7 threat intelligence monitoring: We track new attack techniques as they emerge and deploy countermeasures proactively — not after the first compromise
  • Conditional Access management: We configure and maintain security policies across all managed tenants, ensuring legacy authentication flows, risky sign-in behaviours, and known attack vectors are blocked
  • Sign-in log monitoring: We continuously audit authentication logs for suspicious activity, including device code flow abuse, impossible travel, and token replay from cloud infrastructure IPs
  • Incident response: If a compromise is detected, we execute token revocation, mail rule audits, OAuth consent reviews, and full account remediation immediately
  • Email security hardening: We configure and maintain email filtering policies to detect and block phishing campaigns, including the redirect chain techniques used in this attack

The cost of managed IT is a fraction of a single successful BEC incident. The cost of not having it is discovering that an attacker has been reading your email for three weeks and has already redirected a $64,000 payment.

Is Your Microsoft 365 Tenant Protected?

If you are not certain that device code flow is blocked in your environment, contact AyeTech today. We can audit your Conditional Access policies, check your sign-in logs for compromise indicators, and deploy the block across all your tenants.

Book a Security Assessment Call Now: 02 9188 8000

Or email us at [email protected] and we will check your M365 security posture.

Frequently Asked Questions

How do I protect my business from device code phishing in Australia?

The definitive fix is blocking device code flow via a Conditional Access policy in Microsoft Entra ID. This requires Entra ID P1 licensing, knowledge of authentication flows, and correct configuration of exclusion groups. AyeTech deploys and manages this policy across all managed Microsoft 365 tenants as part of our cyber security services. Contact us to have your tenant checked and protected today.

Why doesn't MFA stop device code phishing attacks?

Because the victim authenticates on the genuine Microsoft login page and completes their real MFA challenge themselves. There is no fake login page for security keys or authenticator apps to detect. The attacker never touches the authentication — they just receive the resulting OAuth tokens afterward. This is why blocking the device code flow at the Conditional Access level is the only effective defence, and why businesses need a managed IT provider monitoring for new attack techniques that bypass existing controls.

Is my Australian business at risk from the EvilTokens phishing campaign?

If your business uses Microsoft 365, yes. The EvilTokens campaign has targeted construction, healthcare, legal, government, financial services, real estate, manufacturing, and non-profit organisations across Australia, New Zealand, the US, Canada, and Germany. It is an opportunistic, volume-based campaign — not targeted at specific companies. Any M365 tenant without device code flow blocked is exposed. AyeTech can check your exposure in minutes.

How do I know if my Microsoft 365 account has already been compromised by device code phishing?

Detecting compromise requires querying your Entra ID sign-in logs for device code authentication events, cross-referencing against known attacker IP ranges (such as Railway.com infrastructure), and checking for suspicious user-agent strings. Most small businesses do not have the tools or expertise to run these queries. AyeTech performs this audit across all managed tenants proactively. If you are concerned your environment may be compromised, call us on 02 9188 8000 for an immediate assessment.

What happens if someone in my business falls for a device code phishing email?

The attacker receives OAuth refresh tokens that give them full access to the victim's Microsoft 365 account — email, OneDrive, SharePoint, Teams. These tokens persist even after a password reset. The most common follow-up is Business Email Compromise (BEC), where attackers monitor email and redirect invoice payments. The average BEC loss for Australian businesses is $64,000 (ACSC). Recovery requires immediate token revocation, mail rule audits, OAuth consent reviews, and device checks — all of which AyeTech handles as part of our managed IT incident response.

Can AyeTech protect my Microsoft 365 tenant from device code phishing?

Yes. AyeTech has already blocked device code flow across all managed Microsoft 365 tenants and audited sign-in logs for compromise indicators. We monitor emerging threats continuously and deploy countermeasures proactively — our managed clients were protected before the first phishing email from this campaign reached any inbox. Book a free M365 security check to find out if your business is exposed, or call 02 9188 8000.

About AyeTech

AyeTech is a Sydney-based managed IT services provider specialising in Microsoft 365 security, network infrastructure, and cybersecurity for Australian small and medium businesses. We proactively monitor emerging threats like the EvilTokens device code phishing campaign and deploy countermeasures across all managed tenants before our clients are impacted.

Contact Information:

  • Phone: 02 9188 8000
  • Email: [email protected]
  • Address: Suite 203, Level 8, 99 Walker St, North Sydney, NSW 2060
  • Service Areas: Sydney, Melbourne, Brisbane, Perth, Adelaide

Sources:

Related Resources: