Since mid-March 2026, over 500 organizations per day have been hit by a phishing campaign targeting Microsoft 365. Not through a software flaw. Through the login flow itself.
Attackers are using device code authentication — a legitimate Microsoft feature that lets apps connect to your Microsoft account without you re-entering your password every time. The phishing trick is simple: they trick a user into authorizing a malicious app via the device code flow, then steal the resulting token to access corporate email, Teams chats, and SharePoint files.
With that access, they steal financial data, impersonate employees, and move laterally — all while sitting inside your legitimate Microsoft environment.
This isn’t theoretical. It’s happening every day.
Why Most SMBs Don’t Know They’ve Been Hit
Microsoft’s security defaults for M365 aren’t enough anymore. Device code authentication is enabled by default. Phishing emails look like routine prompts. And by the time most businesses notice, the attackers have already exfiltrated data or set up backdoor accounts.
The attackers are also using AI to automate and scale the campaigns — personalized, convincing, and cheap to run.
What You Need to Do Now
- Disable device code flow for standard user accounts where it’s not needed
- Enable phishing-resistant MFA (FIDO2 hardware keys or certificate-based auth)
- Audit third-party app consent policies — limit what apps can connect to your M365 tenant
- Monitor sign-in logs for device code anomalies — spikes in app consent events are a red flag
Don’t Wait for a Breach to Find Out
Running Microsoft 365 without active monitoring is like leaving your office door unlocked and hoping no one notices. Reach out — we’ll run a quick security health check on your M365 environment and tell you exactly where you’re exposed.