Four days ago, Black Arrow Cyber — a firm that watches this stuff for a living — issued an emergency advisory to its clients. The subject: an active phishing campaign that bypasses Microsoft 365 MFA completely, is running 10 to 15 distinct waves per day, and has already hit hundreds of organizations globally including NGOs, government offices, schools, and law firms.
The tool behind it is called EvilTokens. It's been sold as a service on Telegram since mid-February. As of this week, it's the most active phishing kit in the Microsoft 365 ecosystem.
Here's what makes it different from every other phishing campaign you've heard about: it doesn't steal your password. It doesn't intercept your authentication code. It uses Microsoft's own login infrastructure to hand the attacker a valid session — with your blessing, more or less — and you never see a fake website.
How device code phishing actually works
Microsoft's OAuth device code flow was designed for a legitimate use case: TVs, kiosks, printers — devices without keyboards where you can't easily type a password. The flow works like this. You get a short code. You go to a real Microsoft URL on another device, type the code, log in, and the device gets authenticated. Simple.
EvilTokens weaponizes this completely. Here's the real flow when an attack is underway:
A phishing email arrives — more on those in a moment. It says something like "Please verify your identity to access this shared document" or "Your invoice approval is pending." There's a link or a QR code. You click. You see what looks like an authentication prompt, with a Microsoft-branded code displayed. Instructions tell you to go to microsoft.com/devicelogin, enter the code, and complete sign-in.
You do it. You MFA. Everything looks normal.
What actually happened: the attacker generated that device code on their end. When you entered it on Microsoft's real sign-in page and completed authentication, you just authorized their session. They now have your access token. They also have your refresh token — which doesn't expire for days or weeks, and persists even if you change your password.
Within minutes: your inbox, your OneDrive, your SharePoint, your Teams conversations, your calendar. If your account has access to sensitive files or financial systems, so do they. Because single sign-on propagates across Microsoft services, they can also impersonate you to services connected through Entra ID — including any third-party apps your organization uses.
Standard MFA doesn't stop this. There's nothing to intercept. The attacker never touches the authentication challenge. You completed it yourself, on Microsoft's actual servers, because the prompt looked routine.
The AI piece, and why your team is a specific target
The emails that start these attacks aren't generic. Generative AI is being used to craft messages tailored to the recipient's role — RFPs for procurement staff, invoice approvals for finance contacts, policy documents for program managers. Microsoft's threat researchers specifically called out that attack payloads were matched to professional context. The email you'd expect based on your job is the one arriving.
That matters because the usual red flags — awkward phrasing, generic subjects, "Dear valued customer" — aren't there. The message feels like something you'd actually receive.
The sectors explicitly documented in active EvilTokens campaigns: government, NGOs, academia, healthcare, law firms, transportation, energy, and IT. If you're reading this at a 10- to 50-person organization that uses Microsoft 365 — which describes most of our clients — you are in the target cohort.
The scale: since mid-March, researchers have tracked over 340 organizations compromised globally. Hundreds more per week based on current campaign cadence. Canada is listed among the most-targeted countries. This is not a distant threat.
Why small orgs get hit harder
Large enterprises often have Conditional Access policies already configured that block or restrict device code flow. They have security operations teams watching sign-in logs. They have identity governance tooling that flags unusual authentication patterns.
Most small organizations don't have any of that. The M365 defaults allow device code flow — it's enabled out of the box. Your team's accounts can be targeted immediately. And when a staff member authenticates via a device code prompt, there's nothing in their experience that signals anything wrong. No password was stolen. No fake website was visited. The sign-in completed successfully. Microsoft's audit log records it as a normal authentication event unless someone knows to look for device code flow specifically.
The attacker's session can run for weeks before anyone notices anything unusual in email traffic, file access, or external sharing.
What to do. Right now.
The primary fix: block device code flow for your users.
In Microsoft Entra ID (formerly Azure AD), go to Conditional Access and create a policy that blocks the device code grant. The specific condition: Authentication flows → Device code flow. The scope: all users, or at minimum any user who is not explicitly operating a legacy device that requires it. Almost certainly, that means all of your staff.
Microsoft's own current guidance is to "get as close as possible to a unilateral block on device code flow" and only allow it in documented cases where a specific legacy device has no alternative.
If your organization uses shared devices, printers with scan-to-email, or conference room systems that authenticate to Microsoft, you may need to whitelist those specific device accounts while blocking everyone else. That's a 30-minute scoping exercise. It is worth doing.
Secondary measures:
Review your Entra ID sign-in logs for device code authentication events from the past 30 days. Filter for signInEventTypes: deviceCode. Any result should be investigated — specifically: what device, what IP, what time, and did the user expect to be doing this.
If you find sessions you can't account for, revoke them immediately and rotate any API keys, shared credentials, or integrations that account had access to.
Consider moving your admin accounts to phishing-resistant MFA — FIDO2 security keys or certificate-based authentication — rather than TOTP codes or SMS. These methods are structurally immune to device code phishing because the authentication is bound to a physical key or certificate, not a code a user can enter anywhere. For non-admin staff, this is harder to roll out, but for anyone with elevated privileges it's worth prioritizing.
The cheapest thing you can do today: send your staff a one-paragraph heads-up. "If you ever see a prompt asking you to go to microsoft.com/devicelogin and enter a code, stop and contact IT before doing it." Most of your people have never seen this flow and don't know it exists. Awareness takes five minutes and immediately raises the bar.
This campaign is running right now
The Black Arrow advisory from April 10 was a signal: this is not a future threat or a proof-of-concept. It is an active, automated, AI-assisted campaign running continuously. The attackers are spinning up new infrastructure faster than detection signatures can keep up. The orgs getting hit this week are ones where device code flow was never turned off, because it never needed to be turned off before.
Blocking it is a one-time configuration change with a negligible operational impact for almost every team. Not blocking it leaves a persistent, hard-to-detect attack surface open against one of the most valuable assets your organization has: your Microsoft 365 environment.
We help small orgs lock down their Microsoft 365 environments and identity configurations — before an incident, not after. If you're not sure whether device code flow is enabled for your users, or what your Conditional Access policies actually cover, that's a short conversation.