New Phishing Campaign Abuses Microsoft Device-Code Flow to Hijack M365 Accounts

ยท
Listen to this article~4 min
New Phishing Campaign Abuses Microsoft Device-Code Flow to Hijack M365 Accounts

A new phishing campaign abuses Microsoft's device-code flow to hijack M365 accounts without fake login pages. Learn how it works and how to protect yourself.

A fresh wave of phishing attacks is targeting Microsoft 365 users, and it's not your typical fake login page. Security researchers at ZeroBEC spotted this campaign running from late June through early July 2026. The attackers are using a clever trick: they abuse Microsoft's legitimate device-code authentication flow to steal account access. ### How the Attack Works Instead of sending victims to a fake password page, the attackers use collaboration-themed lures to trick people into visiting Microsoft's real device login page. Here's the gist: you get an email or message that looks like a shared document or project invite. When you click, you're prompted to enter a code on Microsoft's official site. That code is actually generated by the attacker, giving them access to your account once you authenticate. This approach is dangerous because it bypasses many traditional security filters. The login happens on a legitimate Microsoft domain, so it looks clean to security tools. And because the user is willingly entering a code, they don't suspect foul play. ### Why Device-Code Flow Is a Target Device-code flow is designed for devices that can't handle a full web browser, like smart TVs or printers. But attackers love it because it doesn't require a password. They just need the user to authenticate with a code. Once they have that, they can access your email, files, and more. - **No password needed** โ€“ The attacker never sees your password, but they still get in. - **Legitimate domain** โ€“ Microsoft's own site is used, so it's harder to block. - **Easy to automate** โ€“ Attackers can generate codes and send them out en masse. ### How to Protect Yourself This kind of attack relies on human error, so awareness is your best defense. Here are a few practical steps: - **Double-check the request** โ€“ If you get an unexpected invite to collaborate on a document, verify with the person who sent it. - **Never enter codes from emails** โ€“ Only use device codes when you're setting up a device yourself, not because someone sent you one. - **Enable multi-factor authentication** โ€“ Even if an attacker gets in, MFA can stop them from doing damage. - **Monitor account activity** โ€“ Keep an eye on sign-in logs for unfamiliar locations or devices. > "The campaign did not depend on a fake Microsoft password page. It used a malicious collaboration-style lure to push users into the legitimate Microsoft device login experience." โ€“ ZeroBEC researchers ### What Businesses Should Do For organizations, this attack highlights the need for user training and technical controls. Consider blocking device-code authentication for most users, or requiring approval for its use. Also, set up alerts for unusual authentication patterns, like multiple device-code requests in a short time. ### Final Thoughts Phishing is evolving, and attackers are getting smarter about using legitimate tools against us. The key is staying vigilant and questioning anything that feels off. If a collaboration invite seems out of the blue, take a moment to verify before you act. Your account is worth that extra second. Stay safe out there.