AI‑Enabled Device Code Phishing Campaign Scales Credential Compromise Across Enterprise SaaS Users
What Happened — Microsoft’s security research team uncovered a phishing operation that leverages generative AI to produce valid device‑code authentication tokens on demand. By automating the OAuth 2.0 device‑code flow, attackers can bypass multi‑factor authentication (MFA) and maintain long‑term access to compromised accounts. The campaign is being run at scale, targeting users of Microsoft Azure AD and other SaaS platforms that support the device‑code grant.
Why It Matters for TPRM —
- AI‑driven token generation dramatically raises the success rate of credential‑theft attacks, expanding the attack surface of any third‑party that relies on Azure AD for identity.
- Persistent, MFA‑bypassed access enables data exfiltration, ransomware staging, or supply‑chain abuse without immediate detection.
- The automated nature of the campaign means a single compromised vendor can expose dozens of downstream customers.
Who Is Affected — Cloud‑based SaaS providers, enterprises using Azure AD or Microsoft 365, managed service providers (MSPs) that federate identities, and any organization that integrates third‑party applications via the device‑code flow.
Recommended Actions —
- Review all integrations that use the OAuth 2.0 device‑code grant; consider disabling it where not required.
- Enforce conditional access policies that block sign‑ins from unknown devices or locations, even when MFA is satisfied.
- Deploy AI‑aware phishing awareness training and simulate device‑code phishing attempts.
- Verify that identity‑provider logs capture device‑code requests and monitor for anomalous token issuance patterns.
Technical Notes — The attack vector is phishing combined with AI‑generated device‑code tokens. No specific CVE is involved; the abuse targets the legitimate OAuth 2.0 device‑code flow. Data types at risk include authentication credentials, email content, and any downstream data accessed after login. Source: Microsoft Security Blog