Microsoft Users Face Rising Security Threats from Phishing and Hacking

Microsoft users are facing a surge of AI-enabled device code phishing attacks, with hundreds of organizations compromised daily across five countries via OAuth abuse. Threat actors are leveraging generative AI to craft highly targeted phishing emails aligned to the victim's role, including themes such as invoices, RFPs, and manufacturing workflows, while automated redirect chains through platforms like Cloudflare Workers and AWS Lambda help bypass security filters.

The EvilTokens phishing-as-a-service platform, active since February 2026, is fueling the campaign's scale by providing a turnkey device code phishing kit sold under a subscription model. Post-compromise activity shows a consistent focus on finance-related accounts, with automated email exfiltration and inbox forwarding rules established within minutes of a successful token hijack. In some cases, attackers registered new devices within 10 minutes to generate persistent refresh tokens for long-term account access.

In a parallel development, cybersecurity authorities disrupted a series of DNS hijacking operations specifically targeting Microsoft 365 login credentials. The multi-vector threat landscape is compounding pressure on enterprise IT teams already managing phishing defenses.

A Windows 0-day exploit was published by a security researcher after Microsoft delayed issuing a patch, affecting an estimated 1 billion users. The public disclosure has drawn criticism of Microsoft's vulnerability response process and sparked debate about responsible disclosure timelines. Microsoft has since issued guidance and strengthened its Entra ID device code authentication controls in response to the broader campaign.