In a rapidly escalating cybersecurity threat, hundreds of organizations are being compromised daily through a large-scale phishing campaign targeting Microsoft accounts. The attack uses artificial intelligence and automation across multiple stages to gain access to corporate emails and extract financial data.
According to Microsoft’s Vice President of security research, Tanmay Ganacharya, the campaign has been active since March 15, 2026. It involves 10 to 15 separate campaigns every 24 hours, each targeting hundreds of organizations with unique payloads, making detection more challenging. The attacks have impacted organizations worldwide across sectors, with no confirmed attribution, though similarities have been noted with tools linked to EvilTokens.
The campaign relies on an AI-driven phishing kit called EvilTokens, available as a service since mid-February. This tool allows attackers to bypass multi-factor authentication and silently access Microsoft 365 accounts. Its developers are also planning to extend support to Gmail and Okta environments.
Post-compromise activity shows a strong focus on finance-related roles. Attackers use automation to extract emails, while AI is used to create highly personalized phishing messages based on the target’s role. These messages often include themes such as invoices, proposals, and operational workflows.
A key vulnerability exploited in this campaign is device code authentication. This feature, designed for devices that cannot support standard login methods, requires users to enter a code on another device to complete authentication. Attackers misuse this process by sending phishing messages with authentication codes. When victims enter these codes, they unknowingly grant access, allowing attackers to bypass security systems.
The attack chain begins with reconnaissance, where attackers verify active email accounts using a Microsoft API. This step usually takes place 10 to 15 days before the phishing attempt. The campaign then progresses through phishing emails, automated redirects via compromised domains on platforms like Railway, Cloudflare Workers, DigitalOcean, and AWS Lambda, and finally leads victims to a fake interface resembling a legitimate Microsoft login page.
Once access is gained, attackers may create long-term access tokens, register new devices, extract sensitive data, or set up inbox rules to monitor and forward financial communications.
Microsoft has advised organizations to restrict device code authentication and train employees to identify suspicious login prompts and phishing messages.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.