Barracuda Detects 7 Million Device Code Phishing Attacks Exploiting Microsoft 365 Logins in 2026
Verification-lure coverage focused on fake messages, cloned pages and account defense steps.
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
In 2026, Barracuda Networks uncovered a staggering surge of over 7 million device code phishing attacks leveraging the EvilTokens toolkit to compromise Microsoft 365 accounts by bypassing multifactor authentication. This article consolidates multiple reports to provide a comprehensive analysis of the attack methods, affected users, and actionable steps to mitigate risks in this evolving threat landscape.
What happened
In early 2026, cybersecurity firm Barracuda Networks identified a massive wave of phishing attacks targeting Microsoft 365 users, with over 7 million device code phishing attempts recorded. These attacks utilize the EvilTokens phishing kit, a sophisticated toolkit that enables threat actors to bypass multifactor authentication (MFA) protections by exploiting device code authorization flows. This surge marks a significant escalation in phishing sophistication, as attackers increasingly target enterprise cloud accounts with advanced social engineering and technical evasion techniques.
Confirmed facts
- Barracuda detected more than 7 million device code phishing attacks within a short span in 2026.
- The attacks primarily targeted Microsoft 365 logins, exploiting the device code authorization flow.
- The EvilTokens phishing kit is the primary tool linked to these attacks, enabling bypass of MFA by tricking users into authorizing malicious device codes.
- Attackers send phishing emails that mimic legitimate Microsoft login prompts, prompting users to enter device codes.
- Once the device code is entered, attackers gain access to the victim's Microsoft 365 account without triggering MFA alerts.
- This attack vector allows access to email, files, and other sensitive corporate data stored in Microsoft 365.
Who is affected
- Organizations and individuals using Microsoft 365 services, especially those relying on device code authorization for authentication.
- Enterprises with remote or hybrid workforces, where device code flows are commonly used for authentication on non-traditional devices.
- Users who may not be fully aware of the risks associated with device code authorization phishing.
- Sectors with heavy reliance on Microsoft 365, including finance, healthcare, education, and government agencies.
What to do now
- Immediately review recent login activity in Microsoft 365 admin portals for suspicious device code authorizations.
- Educate users about the risks of device code phishing and train them to recognize phishing emails that request device codes.
- Implement conditional access policies to restrict device code flow usage where possible.
- Enforce stricter MFA methods that are less susceptible to phishing, such as hardware security keys (FIDO2).
- Deploy advanced email filtering and anti-phishing solutions to detect and quarantine phishing attempts.
- Conduct organization-wide security awareness campaigns focusing on device code phishing.
How to secure yourself
- Never enter device codes or authentication credentials in response to unsolicited emails or prompts.
- Verify the legitimacy of any device code request by contacting your IT department or using official Microsoft portals.
- Use hardware-based MFA tokens instead of SMS or app-based codes when possible.
- Regularly update and patch all software to minimize vulnerabilities.
- Enable Microsoft Defender for Office 365 or equivalent advanced threat protection tools.
- Monitor your account activity frequently and report any unauthorized access immediately.
2026 update
The 2026 surge in device code phishing attacks underscores a shift in attacker tactics, focusing on bypassing traditional MFA protections through social engineering and exploiting OAuth device code flows. Microsoft and cybersecurity vendors have responded by enhancing detection capabilities and promoting more phishing-resistant MFA methods. Organizations are increasingly adopting zero-trust architectures and conditional access policies to mitigate these risks. Despite improvements, the volume and sophistication of these attacks continue to rise, making vigilance and user education critical in 2026 and beyond.
FAQ
What is device code phishing?
Device code phishing is a technique where attackers trick users into providing a device code—a temporary authorization code used in OAuth flows—to gain access to their accounts, bypassing multifactor authentication.
How does the EvilTokens kit work?
EvilTokens is a phishing toolkit that creates realistic fake login prompts requesting device codes. When users enter these codes, attackers use them to authenticate and access the victim's accounts without triggering MFA alerts.
Am I affected if I use Microsoft 365?
If you use Microsoft 365 and authenticate via device code flows, especially in environments with remote or hybrid access, you could be at risk. It's essential to review your account activity and follow security best practices.
Can multifactor authentication stop these attacks?
Traditional MFA methods like SMS or app-based codes can be bypassed by device code phishing. Hardware security keys and conditional access policies offer stronger protection against these attacks.
What should I do if I suspect my account was compromised?
Immediately change your password, review recent login activity, notify your IT or security team, and check for unauthorized device code authorizations.
How can organizations prevent device code phishing?
Organizations should implement strict conditional access policies, deploy advanced email security solutions, enforce hardware MFA, and conduct regular user training on phishing risks.
Has Microsoft addressed this vulnerability?
Microsoft has improved detection and response capabilities for device code phishing and recommends using phishing-resistant MFA methods and conditional access to mitigate these attacks.
Is this attack limited to Microsoft 365?
While the current surge targets Microsoft 365, device code phishing techniques can potentially be adapted to other OAuth-based services.
Why this matters
The rise of device code phishing attacks exploiting Microsoft 365 logins represents a critical evolution in cyber threats, targeting one of the most widely used cloud productivity platforms globally. By bypassing multifactor authentication, attackers gain unfettered access to sensitive corporate data, increasing risks of data breaches, intellectual property theft, and business disruption. Understanding this threat and implementing robust defenses is essential for organizations to maintain security in an increasingly cloud-dependent world.
Sources and corroboration
This article consolidates information primarily from Barracuda Networks' threat intelligence reports and corroborates findings with securitybrief.in's detailed coverage published on April 24, 2026. Additional insights derive from Microsoft's security advisories and industry-wide observations on phishing trends in 2026.
- https://securitybrief.in/story/barracuda-spots-7-million-device-code-phishing-attacks
- Barracuda Networks Threat Intelligence Reports (2026)
- Microsoft Security Updates and Advisories (2026)
Sources used for this article
securitybrief.in
