Updated · Australia Cyber Security Magazine · May 20
ASD Warns Microsoft 365 Users of Device Code Phishing as 7 Variants Emerge in 10 Days
Updated
Updated · Australia Cyber Security Magazine · May 20
ASD Warns Microsoft 365 Users of Device Code Phishing as 7 Variants Emerge in 10 Days
1 articles · Updated · Australia Cyber Security Magazine · May 20
Australian users are being actively targeted in device code phishing attacks, prompting the ASD to warn Microsoft 365 customers that attackers can steal authentication tokens through Microsoft’s legitimate device login flow.
Proofpoint linked the rise to criminal toolkits released in late 2025 and newer phishing-as-a-service offerings that now generate device codes on demand when a victim clicks, avoiding the expiry problem of older campaigns.
Around seven near-identical variants were observed in a 10-day window in April, and Proofpoint said actor TA4903 shifted to the technique in March before using HR-themed QR-code lures to mimic DocuSign and Microsoft pages.
EvilTokens—advertised on Telegram in February 2026—and Tycoon were cited as key services helping affiliates scale compromised Microsoft 365 accounts for business email compromise, while some AiTM operators also pivoted to device code phishing.
Proofpoint urged defenders to block device code flow where possible with Conditional Access, restrict approved users or IP ranges where blocking is impractical, and update training because victims are sent to a trusted Microsoft portal.
With phishing now weaponizing official login pages, is traditional user awareness training becoming obsolete?
As AI automates sophisticated phishing, are we entering an era where human-led cyber defense is impossible?
Is the convenience of modern login methods creating security holes too dangerous for enterprise use?
The Rise of Device Code Phishing: How AI and Phishing-as-a-Service Are Fueling a 74% Cloud Account Compromise Rate
Overview
Device code phishing is a fast-growing cybersecurity threat that uses social engineering to trick users into entering attacker-provided codes on Microsoft’s legitimate device login page. This allows attackers to obtain valid authentication tokens and gain unauthorized access to Microsoft 365 accounts. The method, used by threat actors since at least 2020, has surged in recent years, posing an immediate danger to organizations and individuals. Its effectiveness comes from exploiting trusted authentication processes, making it hard for users to detect. As these attacks escalate, heightened vigilance and robust security practices are essential for defense.