AI Fuels Sophisticated Device Code Phishing Attacks

Pentesting News is flagging a concerning trend: threat actors are leveraging AI to pull off highly convincing device code phishing campaigns. These attacks exploit the legitimate device authorization mechanism used by services like Microsoft 365, Google, and others. The core of the scam involves tricking users into visiting a fake Microsoft login page, where they’re prompted to enter a code displayed on their own device. This code, typically a multi-digit string, is meant to confirm that the user is physically present and authorizing a new device login. However, in this phishing scenario, the code is actually a one-time password (OTP) used to complete the attacker’s fraudulent sign-in process.

What makes this particularly nasty is the AI’s role in generating seemingly legitimate-looking phishing pages and potentially even crafting more convincing lures. Pentesting News points out that by automating parts of the attack chain, adversaries can scale these operations and increase their success rate. The attackers are essentially hijacking the trust users place in familiar authorization flows, making it harder to spot the deception. This isn’t just about fake login pages anymore; it’s about subverting trusted, multi-factor authentication steps.