Phishing Alert: Rise of Device Code Phishing Attacks on Microsoft 365 Accounts

The incident

Cyber criminals are exploiting a legitimate Microsoft feature called device code authentication to bypass extra security checks like Multi-Factor Authentication (MFA). Normally, this feature is used on devices with limited input options (like smart TVs or game consoles), where users enter a code displayed on the device into a web page to authenticate. Since 2024, attacks have been making use of the device code feature to bypass security.

The attackers primarily use WhatsApp, Microsoft Teams, and email to send urgent messages, often disguised as meeting invitations or system updates. Victims are asked to enter a device code on a real Microsoft login page, which seems legitimate but is actually used to hijack their accounts. Once the victim enters the code, attackers bypass MFA security and gain unauthorized access to sensitive organizational data.

How to spot a phishing email? - Download

Impact of the incident

This campaign has been significantly active since January 2025, impacting organizations across various sectors, including government, healthcare, education, and technology. The attack is particularly concerning due to the legitimate nature of the login process, making it difficult for traditional security measures to detect and prevent. Victims of this attack face the risk of data breaches, identity theft, and unauthorized access to sensitive systems.

How to stay safe?

• Monitor device code requests: Be cautious when asked to enter a device code on any login page. Confirm the source and legitimacy before proceeding.
• Monitor unauthorized logins: Periodically monitor for any unauthorized access attempts and alert your IT team if anything unusual is detected.
• Look out for urgency: If an email says something is urgent (like “expires in 15 minutes”), take a moment to verify before acting.

Source

Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication