Phishing Intelligence

Phishing Alert: Rise of Device Code Phishing Attacks on Microsoft 365 Accounts

by

A new phishing attack is targeting Microsoft 365 accounts, where attackers trick users into giving them access to their accounts. The attack, which is linked to Russian hackers, involves sending fake messages that ask users to enter a code on a legitimate Microsoft login page. By entering the code, attackers bypass security checks like Multi-Factor Authentication (MFA) and gain access to Microsoft 365 accounts.

The incident

Cyber criminals are exploiting a legitimate Microsoft feature called device code authentication to bypass extra security checks like Multi-Factor Authentication (MFA). Normally, this feature is used on devices with limited input options (like smart TVs or game consoles), where users enter a code displayed on the device into a web page to authenticate. Since 2024, attacks have been making use of the device code feature to bypass security.

The attackers primarily use WhatsApp, Microsoft Teams, and email to send urgent messages, often disguised as meeting invitations or system updates. Victims are asked to enter a device code on a real Microsoft login page, which seems legitimate but is actually used to hijack their accounts. Once the victim enters the code, attackers bypass MFA security and gain unauthorized access to sensitive organizational data.

Phish Alert 4 Device code phishing

How to spot the phishing email?

Download

Impact of the incident

This campaign has been significantly active since January 2025, impacting organizations across various sectors, including government, healthcare, education, and technology. The attack is particularly concerning due to the legitimate nature of the login process, making it difficult for traditional security measures to detect and prevent. Victims of this attack face the risk of data breaches, identity theft, and unauthorized access to sensitive systems.

How to stay safe?

  • Monitor device code requests: Be cautious when asked to enter a device code on any login page. Confirm the source and legitimacy before proceeding.
  • Monitor unauthorized logins: Periodically monitor for any unauthorized access attempts and alert your IT team if anything unusual is detected.
  • Look out for urgency: If an email says something is urgent (like “expires in 15 minutes”), take a moment to verify before acting.

Source

Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication

Author

Aleena Jibin

Talk to us

Pick a convenient time slot and book a free call with our cyber security experts.

Book a Demo
A customer success team member at work.
Solutions

Assess

Train

Analyze

Use Cases

Short Awareness

Annual Awareness

Customizing A Course

Data Protection & Privacy

Security Awareness Month

Company

About

Careers

Help

FAQs

Resources

Videos

Articles

Infographics

Free Downloads

ISO/IEC 27001 Certified

©️ 2025 Security Quotient Pvt Ltd.

Privacy

Terms

Sitemap