---
title: "Device Code Phishing, iOS 18 Relief, Global Fraud Disrupted | DMARC Report"
description: "Microsoft device code phishing hits 15+ campaigns daily targeting hundreds of orgs, Apple patches iOS 18 DarkSword flaw, and Delhi police bust $36M fraud ring."
image: "https://dmarcreport.com/og/blog/device-code-phishing-ios-18-relief-global-fraud-disrupted.png"
canonical: "https://dmarcreport.com/blog/device-code-phishing-ios-18-relief-global-fraud-disrupted/"
---

Quick Answer

Microsoft device code phishing campaigns are launching 10 to 15 unique attacks daily, targeting hundreds of organizations across global sectors since March 2026\. Simultaneously, Apple patched the DarkSword vulnerability for iOS 18 users, and Indian authorities disrupted a $36 million global cyber fraud syndicate operating through fake investment platforms.

Related: [Free DMARC Checker](/tools/dmarc-checker/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdevice-code-phishing-ios-18-relief-global-fraud-disrupted%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Device%20Code%20Phishing%2C%20iOS%2018%20Relief%2C%20Global%20Fraud%20Disrupted&url=undefined%2Fblog%2Fdevice-code-phishing-ios-18-relief-global-fraud-disrupted%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdevice-code-phishing-ios-18-relief-global-fraud-disrupted%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdevice-code-phishing-ios-18-relief-global-fraud-disrupted%2F&title=Device%20Code%20Phishing%2C%20iOS%2018%20Relief%2C%20Global%20Fraud%20Disrupted "Share on Reddit") [ ](mailto:?subject=Device%20Code%20Phishing%2C%20iOS%2018%20Relief%2C%20Global%20Fraud%20Disrupted&body=Check out this article: undefined%2Fblog%2Fdevice-code-phishing-ios-18-relief-global-fraud-disrupted%2F "Share via Email") 

![Device Code Phishing, iOS 18 Relief, Global Fraud Disrupted](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) 

Recent cybersecurity incidents highlight escalating threats across multiple attack vectors. Microsoft device code phishing campaigns are targeting hundreds of organizations daily, Apple has extended critical DarkSword security patches to iOS 18 users, Indian authorities dismantled a $36 million global fraud ring, and a new LinkedIn phishing campaign is exploiting job seekers. According to Verizon’s 2024 DBIR, phishing remains involved in over 36% of confirmed data breaches, underscoring why email authentication protocols like [DMARC](/what-is-dmarc/) are essential for every organization.

## How Are Microsoft Device Code Phishing Attacks Exploiting Organizations?

A new phishing campaign involving Microsoft device codes and AI automation is successfully breaking into corporate email inboxes. Tanmay Ganacharya, VP of Security Research at Microsoft, confirmed that approximately 10 to 15 unique campaigns launch daily, a pattern sustained since March 15, 2026\. Threat actors are leveraging each campaign to target hundreds of organizations across different global sectors and niches.

![Financial Sector Phishing Impact](https://media.mailhop.org/dmarcreport/images/2026/04/gmail-dmarc-9620.jpg)

The finance sector is the hardest hit by these attacks. Because each campaign varies in its approach, pattern-based detection is proving inefficient at identifying and blocking the threats. While no specific threat group has been attributed, the tactics and patterns closely resemble [EvilTokens](https://www.mnemonic.io/resources/blog/eviltokens-from-device-codes-to-token-theft/), a high-efficiency Microsoft device code phishing kit that gained popularity in mid-February 2026\. EvilTokens is specifically designed to bypass Multi-Factor Authentication (MFA) systems, making it particularly dangerous.

Microsoft recommends blocking device code flow wherever possible. Organizations should also conduct regular employee training to help staff recognize phishing techniques. Protocols like [DMARC (Domain-based Message Authentication, Reporting, and Conformance)](/what-is-dmarc/) help authenticate emails and prevent spoofing, providing an additional layer of defense against phishing campaigns that impersonate trusted senders.

## Why Did Apple Patch iOS 18 for the DarkSword Vulnerability?

For users who are unable or unwilling to update their iPhones to iOS 26, Apple delivered significant relief by patching the DarkSword vulnerability for iOS 18 users. This marks an unusual move: previously, Apple did not offer security patches to users who had not upgraded to the latest iOS version. The decision reflects the severity of the DarkSword exploit.

![iOS Vulnerability Patch](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-record-1410.jpg)

A similar precedent occurred in 2025 when security researchers discovered Coruna, a government-grade exploit kit. Apple patched all 23 associated vulnerabilities for iOS versions 13 through 17.2.1\. This time, with DarkSword, Apple again extended the security fix to every iOS 18 user, signaling the threat’s gravity. Cybersecurity experts emphasize that if Apple is treating DarkSword with this level of urgency, users should understand the situation’s severity and remain vigilant about updating their devices promptly.

## How Was the $36 Million Global Cyber Fraud Syndicate Disrupted?

Delhi Police dismantled a major global cyber fraud ring responsible for scams worth $36 million, with over 2,000 complaints filed against the syndicate. Authorities arrested the mastermind, Karan Kajaria, along with 10 other members of the highly organized network that operated across multiple Indian states with direct connections to international cyber fraud operations.

![Cyber Fraud Network Disrupted](https://media.mailhop.org/dmarcreport/images/2026/04/cyber-fraud-syndicate-dismantled.png)

The syndicate created fake investment and messaging platforms to lure victims. They deployed malicious applications to capture one-time passwords (OTPs) and sensitive banking data from targets. To conceal money trails, the group routed stolen funds through an intricate web of mule bank accounts and shell companies. This case illustrates how sophisticated cybercriminal networks have become, reinforcing the need for robust authentication protocols at every level.

## How Are Threat Actors Exploiting LinkedIn for Phishing Attacks?

LinkedIn is increasingly becoming a popular hunting ground for phishing attacks. A new campaign targets users through LinkedIn notification emails, often disguised as job opportunities. Threat actors exploit the desperation and curiosity of job seekers, using emotional triggers to bypass caution and drive clicks on malicious links. According to Google’s 2024 bulk sender requirements, domains sending over 5,000 messages per day must implement [DMARC](/what-is-dmarc/), [SPF (Sender Policy Framework)](/what-is-spf/), and [DKIM (DomainKeys Identified Mail)](/what-is-dkim/) to prevent exactly this type of impersonation.

![2026 Global Cyber Security Trends](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-record-generator-2640.jpg)

These phishing messages impersonate reputable companies and influential decision-makers, carrying the correct logos, branding assets, and formatting to appear credible. Cybersecurity experts advise LinkedIn users to verify sender authenticity before clicking any link and to be wary of unexpected notifications. Automated threat detection and human intelligence must work together to identify and neutralize these threats in real time.

Organizations should deploy email authentication protocols --- DMARC, [DKIM](/what-is-dkim/), and [SPF](/what-is-spf/) \--- to authenticate outbound emails, prevent domain spoofing, and protect their brand from phishing attacks. An upgraded antivirus solution and a strong firewall provide additional defense against social media-based phishing. Regularly [checking your DMARC configuration](/tools/dmarc-checker/) ensures your domain stays protected as threats evolve.

## Topics

[ DMARC ](/tags/dmarc/)[ phishing ](/tags/phishing/)[ cybersecurity ](/tags/cybersecurity/)[ email security ](/tags/email-security/)[ device code phishing ](/tags/device-code-phishing/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Intermediate 8m  Best DMARC Reporting Tools in 2026: Honest Comparison  Mar 25, 2026 ](/blog/best-dmarc-reporting-tools-2026/)[  Intermediate 8m  Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security  Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[  Intermediate 4m  DKIM Key Rotation Best Practices: Here's What Large Organizations Should Know  Apr 8, 2026 ](/blog/dkim-key-rotation-best-practices-for-large-organizations-should-know/)[  Intermediate 8m  dmarcian Alternatives for DMARC Monitoring in 2026  Mar 31, 2026 ](/blog/dmarcian-alternatives-dmarc-monitoring-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Device Code Phishing, iOS 18 Relief, Global Fraud Disrupted","description":"Microsoft device code phishing hits 15+ campaigns daily targeting hundreds of orgs, Apple patches iOS 18 DarkSword flaw, and Delhi police bust $36M fraud ring.","url":"https://dmarcreport.com/blog/device-code-phishing-ios-18-relief-global-fraud-disrupted/","datePublished":"2026-04-09T11:15:58.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2026-04-09T11:15:58.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/device-code-phishing-ios-18-relief-global-fraud-disrupted/"},"articleSection":"intermediate","keywords":"DMARC, phishing, cybersecurity, email security, device code phishing","wordCount":758,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"Device Code Phishing, iOS 18 Relief, Global Fraud Disrupted","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Device Code Phishing, iOS 18 Relief, Global Fraud Disrupted","item":"https://dmarcreport.com/blog/device-code-phishing-ios-18-relief-global-fraud-disrupted/"}]}
```