Key Points
- Over 50,000 device code phishing campaigns observed since March 2026, representing rapid large-scale adoption of OAuth abuse technique
- EvilTokens Phishing-as-a-Service (PhaaS) toolkit enables low-skill threat actors to automate Microsoft 365 account compromise via legitimate OAuth device authorization flow
- Impersonated brands include DocuSign, Microsoft, and Mimecast device enrolment workflows—all exploiting trusted business processes
- Attack bypasses multi-factor authentication (MFA) by obtaining legitimate OAuth tokens through Microsoft's own infrastructure
Campaign Overview
The Mimecast Threat Research team has identified a significant surge in OAuth device code phishing campaigns targeting Microsoft 365 users across all regions and industries. Since March 2026, over 50,000 malicious email campaigns have exploited Microsoft's legitimate OAuth 2.0 device authorization flow, a mechanism originally designed for devices without keyboards, such as smart TVs and IoT equipment, to steal authentication tokens and compromise cloud-based accounts.
The accessibility of the attack has been amplified by the emergence of EvilTokens, a Phishing-as-a-Service (PhaaS) toolkit sold on Telegram that automates the entire attack chain. EvilTokens incorporates AI-generated social engineering content, enabling even low-skill attackers to conduct convincing brand impersonation campaigns at scale.
Mimecast Device Enrolment Impersonation
The latest campaign using this technique have begun impersonating Mimecast's device enrolment process, exploiting the legitimate security workflow customers use to access protected content.
Recipients receive emails claiming to contain protected documents or links requiring Mimecast device enrolment. When victims click the link, they encounter a page visually identical to Mimecast's device enrolment interface.
Please click HERE to read the entire article. We welcome your questions; please ask them by posting a comment below.
Thank you for reading,
Hiwot
