AI-powered phishing hits M365 — hundreds of orgs compromised daily
Storm-2755 uses AI to craft phishing emails that trick M365 users into giving up their tokens. Here is how to protect yourself.
Microsoft published an analysis on April 6 of an ongoing AI-powered phishing campaign targeting Microsoft 365 organizations. The threat actor behind the attack, Storm-2755, has compromised over 340 organizations across five countries since mid-March.
What makes this campaign different is that attackers use generative AI to create role-specific phishing emails — tailored to the recipient's job title and industry. The emails reference things like RFP requests, invoices, and manufacturing workflows. They also use Railway.com to rapidly spin up thousands of short-lived servers that handle the authentication flow.
Device code phishing — how it works
Instead of sending victims to a fake login page, attackers exploit Microsoft's legitimate device code flow. The victim is presented with a real Microsoft page and a code to enter. When the code is submitted, the attacker receives an OAuth token with full access to the victim's account.
This bypasses traditional email security because everything happens through Microsoft's own servers.
What you should do
-
Block device code flow in
Conditional Accessfor all users who do not need it. Most regular users never need it. -
Review MFA methods. Customers still using SMS or TOTP are most exposed. Accelerate the transition to FIDO2 keys or Passkeys.
-
Monitor OAuth consent in
Entra ID. Unusual app permissions may indicate compromised accounts. -
Run awareness training specifically about device code attacks. Most users have never seen this flow and do not know it can be abused.
How HaggeBurger can help
We can block device code flow as a quick fix (1-2 hours) and then plan a broader MFA upgrade to FIDO2/Passkeys. Need help? Contact us.
Source: Microsoft Security Blog — AI-enabled device code phishing campaign