Researchers: AI-Driven Campaign Compromises Accounts More Effectively than Traditional Phishing Attacks
Microsoft researchers recently uncovered a large-scale, sophisticated AI-driven phishing campaign that uses automation and legitimate authentication processes to compromise accounts more effectively than traditional phishing attacks.
"This activity aligns with the emergence of EvilToken, a Phishing-as-a-Service (PhaaS) toolkit identified as a key driver of large-scale device code abuse," the company said.
This attack marks a shift from stealing passwords to abusing trusted authentication systems and tokens.
The Microsoft Defender Security Research Team's research report illustrates that AI is making phishing more sophisticated and scalable.
A quick summary of the report shows that attackers filter out which e-mail accounts exist and are still active. This reconnaissance mission is conducted days or weeks before the attack.
Once the victims have been identified, they receive highly personalized e-mails using language to increase trust and engagement, ranging from invoices, documents, to PDFs.
The links get passed through legitimate platforms, such as cloud services and redirects. This aids the hackers in bypassing security filters and detection systems.
A device code authentication is triggered and the mark is shown a real Microsoft login page with a device code. Once the victim enters the code, they unknowingly authorize the attacker's session. The key here is that no password has been stolen and access is granted via valid authentication tokens.
The hackers use these tokens to access emails, map the organization and target executives or finance teams.
What Security Researchers Uncovered
Attackers have become more sophisticated by using generative AI to create highly personalized e-mails tailored to victims' roles. The result is that a full attack chain is automated end-to-end, which increases success rates.
The frightening aspect of this breach is that the attack exploited a legitimate login method: device code flow.
The hackers abused Microsoft's device code authentication system and victims unknowingly entered a code that crucially granted attackers access without stealing passwords.
Microsoft says the attackers start by doing reconnaissance, a critical precursor. It typically occurs 10 to 15 days before the actual phishing attempt is launched.
The next step relied on bypassing security limits and this was conducted by using real-time code generation. These codes are generated on demand when users click links and it avoids expiration limits and improve attack reliability.
"To bypass the 15-minute expiration window for device codes, threat actors triggered code generation at the moment the user interacted with the phishing link, ensuring the authentication flow remained valid," the report stated.
The sophisticated attackers tend to home in on high-value targets after the initial compromise. After gaining access, attackers can map organizations, identify executives or finance staff, and set up persistent access and data theft.
The report found that the threat of Cloud infrastructure enables large-scale attacks. This makes large organizations particularly vulnerable as attackers can spin up thousands of short-lived systems to run campaigns and use platforms like serverless hosting to evade detection.
What's clear from the findings of this breach is that security models built around passwords and basic detection are no longer enough.
Guardrails such as continuous monitoring, stricter identity controls, and greater awareness of how legitimate tools can be exploited must be taken into account by organizations.
For the full report, visit the Microsoft site.