What happened

A criminal group tracked by Microsoft as Storm-2372 ran a large-scale campaign targeting organisations across multiple countries. Their method — abusing the OAuth Device Code authentication flow — was novel enough that standard MFA protections offered no defence.

What is the OAuth Device Code flow?

It is a legitimate login mechanism designed for devices that cannot support an interactive browser login — smart TVs, printers, IoT devices. The flow works like this: the device shows you a code, you go to a URL on another device, enter the code, and press Approve. It is completely normal and legitimate when you initiate it yourself.

Storm-2372 abused this by sending convincing, role-specific phishing emails to employees — tailored to their job function using AI-generated content. The emails directed victims to a real Microsoft URL. Victims entered the real code and pressed Approve — not realising they were authorising an attacker-controlled session, not their own device.

Key point: No password was ever stolen. No malware was involved. The victim authenticated themselves on a legitimate Microsoft page. The entire attack ran through legitimate infrastructure.

The toolkit: EvilTokens

The operation used an automated toolkit called EvilTokens that managed the entire flow end-to-end — generating lures, sending emails, capturing authorised tokens, and immediately using them before they expired. The FBI dismantled this infrastructure in April 2026.

What you should do

  • Never approve a device code authorisation you did not initiate yourself
  • If an email asks you to visit a URL and enter a code — verify with IT before proceeding
  • Unexpected approval requests of any kind should be denied and reported