Overview
A new wave of device code phishing attacks is targeting Microsoft 365 users across the US, Canada, and Europe, compromising over 340 organizations. These emails look legitimate — often referencing SharePoint files, meeting invites, or payroll PDFs — but they’re designed to trick users into authorizing an attacker’s device directly into their account.
How the Scam Works
- You receive an email that appears to come from Microsoft or a trusted partner.
- The link takes you to the real Microsoft login page — not a fake one.
- You’re asked to enter a short verification code from the email.
- Entering that code silently grants the attacker’s device access to your Microsoft 365 account.
Once inside, attackers can:
- Read and forward your emails.
- Download sensitive files from SharePoint or OneDrive.
- Create email forwarding rules to monitor future messages — all without your password.
Protect Your Business
- Block device code authentication in Microsoft Entra ID unless it’s absolutely required.
- Train employees: Microsoft will never email you a code to enter on its login page.
- Use phishing‑resistant MFA such as FIDO2 security keys or Windows Hello for Business.
- Review sign‑in logs regularly for suspicious device authorizations.
Final Thought
This scam is dangerous because it uses legitimate Microsoft infrastructure to bypass traditional MFA. The best defense is awareness and proactive configuration. If your organization relies on Microsoft 365, make sure your IT team has device code authentication locked down and your staff knows how to spot these deceptive emails.
Leave a Reply