high Code Vulnerability
AI-Enabled Device Code Phishing (EvilToken PhaaS) — 10-15 Campaigns Daily
| Severity | high |
| Status | open |
| Date | April 7, 2026 |
| Affects | Microsoft 365 organizations — US, Canada, Australia, NZ, Germany |
| Source | www.microsoft.com |
Details
10-15 distinct campaigns launch every 24 hours, each targeting hundreds of organizations. Uses EvilToken Phishing-as-a-Service toolkit to abuse Microsoft 365 device code OAuth flow. Generative AI creates role-targeted lures (RFPs, invoices, manufacturing workflows). Post-compromise focuses on finance-related accounts with automated email exfiltration.