What's happening in email security: April 6–13, 2026

Inside an AI-Enabled Device Code Phishing Campaign

Device code phishing abuses the OAuth device authorization flow, a mechanism built for devices that can't display a browser (smart TVs, printers). Users authenticate by visiting a URL and entering a short code, which authorizes the device. Attackers copied this mechanic into phishing emails. The target receives an email asking them to complete authentication using a device code. They do. The attacker gets a valid access token. No credential theft. No MFA prompt. The user authorized them directly.

Microsoft's Defender Security Research Team documented a campaign that layered two new capabilities on top of this known technique.

The infrastructure is where scale comes in. Threat actors used Railway.com, an automation platform, to spin up thousands of unique, short-lived polling nodes. Each one is distinct enough to avoid signature-based detection. By the time a node is fingerprinted, it's already gone.

The lure quality is the other half. Generative AI produced role-specific phishing emails based on each target's function. Finance targets got invoice lures. Procurement targets got RFP content. Manufacturing targets got workflow-themed emails. The AI isn't polishing grammar. It's generating contextually accurate content that reads like internal communications.

The combination changes the risk profile considerably. Commodity AI lures were already making content-based filtering harder. But previous campaigns still required users to enter credentials on a page that might trigger warnings or look suspicious. Device code phishing removes that friction. Users complete what looks like a routine authentication step. The OAuth flow handles the rest.

The lure themes (RFPs, invoices, vendor workflows) also pattern-match to how legitimate vendor emails arrive in inboxes. That's deliberate. This campaign targeted M365 environments across multiple industries, and it worked precisely because the lures fit naturally into normal business email contexts.

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Gray Sandstorm, an Iran-nexus threat actor, ran three waves of password-spraying against Microsoft 365 during March 2026, on the 3rd, 13th, and 23rd. The approach is deliberate. Spraying common passwords across many accounts at low frequency avoids the per-account rate limits and lockouts that targeted brute force would trigger.

300+ Israeli organizations were targeted, plus 25 in the UAE. Sectors include government, municipalities, technology, transportation, and energy. Traffic ran through Tor exit nodes and VPN nodes at AS35758.

Once in, the actor exfiltrated mailbox content. This is intelligence collection. The inbox was the objective, not a stepping stone.

APT28 Deploys PRISMEX Malware in Spear-Phishing Campaign Targeting Ukraine and NATO Allies

This isn't APT28's first appearance in this roundup. [Six weeks ago we covered Operation MacroMaze](https://redsift.com/email-security-weekly/002), which used webhook.site as C2 via INCLUDEPICTURE fields in Office documents. PRISMEX is different tooling, same playbook.

APT28 has been running this particular campaign since September 2025 using a previously undocumented malware suite. Initial access comes via malicious Microsoft Office documents with macro execution, targeting Ukraine's government, defense, and emergency services, as well as organizations in Poland, Romania, Slovakia, and Czech Republic.

PRISMEX has multiple components for staging, dropping, and persistence. The component most directly relevant to email security teams is MiniDoor, an Outlook-specific credential and data stealer. The campaign also weaponized CVE-2026-21509 and CVE-2026-21513 rapidly after their disclosure. C2 runs through Filen.io, a legitimate cloud storage service being abused to blend into normal traffic.

A destructive wiper payload is also present, which separates this from pure intelligence collection.