Inside an AI‑enabled device code phishing campaign

Microsoft Defender observed a large-scale, automated device-code phishing campaign (EvilToken Phishing-as-a-Service) that uses cloud PaaS, dynamic device code generation at click-time, clipboard manipulation, and backend polling to bypass the 15-minute device-code window and MFA, resulting in access-token theft, targeted reconnaissance via Microsoft Graph, device registration for persistence, and email exfiltration; the report provides IOCs, advanced hunting queries, and mitigation recommendations.