Microsoft has issued a warning about an ongoing large-scale phishing campaign that is compromising hundreds of organizations every day. The campaign uses advanced automation and artificial intelligence to target corporate email accounts, particularly those running on Microsoft 365.
According to Microsoft’s security research team, the activity has been active since mid-March 2026 and continues to evolve, with attackers launching multiple campaigns daily. The scale and sophistication of the operation have raised concerns across the cybersecurity community.
Daily Campaigns Targeting Organizations Globally
Security researchers report that between 10 and 15 phishing campaigns are being launched every 24 hours, each targeting hundreds of organizations worldwide. These attacks are not limited to a single industry, affecting a wide range of sectors including finance, corporate enterprises, and service-based organizations.
What makes this campaign particularly challenging to detect is the use of varied payloads and constantly changing attack patterns. Each campaign appears slightly different, reducing the effectiveness of traditional detection systems.
Use of AI in Phishing Attacks
A key feature of this campaign is the integration of artificial intelligence in multiple stages of the attack chain. Attackers are using AI to generate highly personalized phishing messages that align with the target’s role within an organization.
These messages often include themes related to invoices, proposals, and business operations, making them appear legitimate. The use of AI significantly increases the success rate of phishing attempts by making them more convincing and harder to identify.
Exploitation of Device Code Authentication
The attackers are exploiting a lesser-known authentication mechanism known as device code authentication. This method is typically used by devices that cannot support standard login interfaces.
In a legitimate scenario, a user is shown a short code on one device and asked to enter it on another device to complete the login process. However, attackers are manipulating this workflow by sending phishing messages that trick users into entering these codes on official login pages.
Once the code is entered, the attacker gains access to the account without needing the user’s password or traditional multi-factor authentication.
Bypassing Multi-Factor Authentication
The campaign leverages tools such as phishing kits that are capable of bypassing multi-factor authentication (MFA). This represents a significant escalation in threat capability, as MFA has long been considered a critical layer of defense against unauthorized access.
By exploiting the device code authentication process, attackers are able to obtain valid access tokens, effectively bypassing security controls and gaining full access to user accounts.
Structured Attack Chain
The campaign follows a structured and multi-stage attack process. It begins with reconnaissance, where attackers verify whether targeted email accounts are active. This phase can occur days or even weeks before the actual phishing attempt.
Following reconnaissance, phishing emails are sent containing links or attachments. Victims are then redirected through multiple stages, often involving compromised domains hosted on cloud platforms.
The final stage presents a legitimate-looking login interface, prompting the user to enter a device code. Once completed, authentication tokens are transmitted to attacker-controlled systems.
Post-Compromise Activities
After gaining access, attackers focus on extracting valuable information, particularly from accounts associated with finance-related roles. This includes accessing emails, monitoring transactions, and identifying opportunities for financial fraud.
In some cases, attackers establish persistence by registering new devices or generating long-term access tokens. They may also create inbox rules to automatically forward sensitive communications, allowing them to maintain ongoing surveillance without detection.
Global Impact and Risk Assessment
The scale of the campaign is significant, with hundreds of organizations reportedly being compromised each day. The global reach and automated nature of the attacks indicate a high level of coordination and resource investment.
The use of AI and automation has lowered the barrier for executing complex attacks, enabling threat actors to operate at scale while maintaining effectiveness. This trend is expected to continue as attackers adopt more advanced technologies.
Microsoft’s Response and Recommendations
Microsoft has advised organizations to take immediate steps to mitigate the risk associated with this campaign. Recommendations include limiting the use of device code authentication where possible and enhancing user awareness around phishing threats.
Organizations are also encouraged to monitor login activity, implement conditional access policies, and train employees to recognize suspicious login prompts and external messages.
The ongoing device code phishing campaign represents a significant evolution in cyber threats, combining AI-driven techniques with advanced authentication bypass methods. The ability to compromise accounts at scale while evading traditional defenses highlights the growing complexity of modern cyberattacks.
As organizations continue to rely on cloud-based platforms, strengthening authentication mechanisms and improving user awareness will be essential in defending against such threats. The campaign serves as a clear reminder that even trusted authentication processes can be exploited if not properly secured.