Multi-factor authentication is one of the most successful security investments organizations have made in the last decade. Microsoft reports that MFA blocks more than 99% of automated account compromise attacks. Adoption has climbed steadily across enterprises of every size. For security teams that have rolled it out, that is a meaningful win, and it is worth recognizing.
Attackers took note.In February 2026, a phishing-as-a-service platform called EvilTokens went live. According to threat intelligence reporting by The Hacker News, within five weeks it had compromised more than 340 Microsoft 365 organizations across five countries. The platform requires no technical expertise to operate. For a subscription fee, anyone can run it. And its core design feature is that it works specifically on organizations that already have MFA turned on. Understanding what is behind that capability, and how security teams can respond, starts with a feature built into Microsoft's authentication stack called device-code flow.
How the Attack Works
Device-code flow was designed for logging into Microsoft services on devices that cannot easily open a browser, such as smart TVs, shared conference room displays, and printers. The device shows a short code and prompts the user to visit microsoft.com/devicelogin on a separate device, enter the code, and complete their standard MFA prompt. The device gets authorized, and the user moves on.
From the employee's side, nothing looks wrong. A message arrives with a familiar Microsoft URL and a short code. They visit the page, enter it, complete their MFA prompt, and go back to their day.
EvilTokens exploits that sequence precisely. An attacker generates a valid device code using Microsoft's own authentication infrastructure, sends it to a target employee, and waits. When the employee completes their MFA prompt, the attacker captures the resulting tokens. No stolen password required. No spoofed login page. The MFA challenge was genuine. The URL was legitimate.The type of token captured is what gives this attack its staying power. Device-code phishing yields both an access token and a refresh token. Access tokens expire in hours. Refresh tokens in Microsoft 365 can remain valid for days or months depending on tenant configuration. An attacker holding a refresh token can silently re-authenticate and maintain persistent access to email, SharePoint, Teams, and files well beyond the initial compromise. This staying power is built into the protocol itself. Dr. Daniel Fett's formal security analysis of OAuth 2.0, presented at the Conference on Computer and Communications Security, found that OAuth grant flows carry structural properties that, when abused, give attackers access that outlasts what most users would ever expect from a single sign-in.
It is worth distinguishing this from a separate campaign called Tycoon2FA, also in active circulation. Tycoon2FA uses an adversary-in-the-middle proxy to intercept authentication cookies during a legitimate login session, a different mechanism from the device authorization grant EvilTokens abuses. Both campaigns target the authenticated session layer rather than credentials, and both succeed in environments where MFA is enabled.
Why Perimeter Detection Misses It
Standard phishing filters look for fake domains and suspicious links. EvilTokens does not use either. The URL the employee clicks is a real Microsoft address. The authentication request goes through Microsoft's own infrastructure. Nothing in that sequence looks wrong to a security tool, because technically, nothing is.
Cloud access security brokers and UEBA platforms can flag this type of attack. The key is having them configured correctly before the campaign arrives. This is where the human layer becomes a meaningful detection layer. The Cybersecurity and Infrastructure Security Agency has found that more than 90% of successful cyberattacks begin with phishing or social engineering, a figure that has held steady through years of growing technical investment. Attackers follow the path of least resistance. People are increasingly taking that path. Device-code phishing is the most recent example.
What Employees Can Spot
Device-code phishing has one consistent characteristic that employees can learn to recognize in a short briefing. Legitimate device-code prompts are always self-initiated. A user in front of a printer or a shared display triggers the process by attempting to sign in from that device. The device shows them the code. They complete the verification.
What EvilTokens changes is that direction. The request arrives inbound to the employee. Someone sends them a code through a message and asks them to verify it. That inbound structure is the signal.
Training employees to ask one question before completing any unsolicited verification request, "Did I start this?", gives them a practical, low-friction filter. If the answer is no, the right move is to flag it to IT before completing the challenge. Organizations that have made that path fast and easy, with a one-click alert button or a dedicated security channel, see better catch rates.
Phishing simulations that include device-code scenarios give employees hands-on experience with this attack pattern in a training environment. Research by Dr. Lorrie Faith Cranor at Carnegie Mellon University, published in ACM Transactions on Internet Technology, found that employees trained through simulated phishing attacks showed a measurable reduction in click behavior and carried that recognition forward when exposed to real attacks.
Training is one layer in a layered defense. Even well-prepared employees will occasionally miss a well-timed message, which is exactly why technical controls matter alongside it.
Technical Controls That Complement Awareness
Microsoft has published guidance on locking down device-code flow inside Entra ID, and it is a good place to start. The first move is an audit: figure out which employees and applications actually need device-code flow to do their jobs, then turn it off for everyone else. Most knowledge workers will never notice the difference.
For the employees who still need it, Conditional Access policies can raise a flag any time an authentication request comes from an unfamiliar location, device, or network. Shortening how long tokens stay valid after they are issued cuts the window an attacker has to use one if they do capture it.
IT and identity teams should also know what to look for after an attack. Device-code compromise leaves tracks: an unfamiliar device name appearing on an account, access grants for apps the employee does not normally use, sign-in activity from locations outside their normal pattern. Teams that know these markers can move faster when something looks off.
For organizations thinking about their next step in authentication, FIDO2 security keys and passkeys close the door on this attack entirely. Dr. Nitesh Saxena's lab at Texas A&M University studied two-factor authentication tools in depth, publishing their findings in ACM Computing Surveys in 2025. Their research points to a consistent pattern: most MFA methods leave the post-login session exposed, and that is where attackers focus their effort. FIDO2 eliminates that exposure. Because these methods are locked to a specific device and website, there is no session for a social engineering attempt to hijack.
The Bigger Picture on MFA
Device-code phishing does not diminish the value of MFA. Turning it off would immediately re-expose every account to the automated credential attacks that MFA is built to prevent. The right response is to build on the foundation MFA provides.
When layered technical controls and prepared people are both in place, attackers face compounding friction at every step. A well-briefed employee who recognizes an unsolicited verification request and flags it gives the security team an early warning that perimeter tools would have missed.
EvilTokens reached 340 organizations in five weeks. The platform requires no technical skill to operate and is built to scale. The teams most prepared for it have already made their people part of the defense.
Adaptive Security helps organizations protect their people from AI-powered social engineering attacks through phishing simulations, personalized training, and continuous risk monitoring. To learn how Adaptive can strengthen your human layer, request a demo.
Contents
