Hundreds of orgs compromised daily in Microsoft device code phishing attacks

Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.

"Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told The Register. 

"Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging," Ganacharya said. "We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments."

The attackers have targeted organizations across all sectors and globally, he told us. And while the phishing expedition hasn't been attributed to a particular crew, its tooling and infrastructure share similarities with EvilTokens. 

EvilTokens is a new Microsoft device-code phishing kit that has been sold as a service ...