The Phishing Attack That Bypasses Your Password AND Your MFA, And It's Surging 37x in 2026

← All articles

Cybersecurity Alert Device code phishing is the attack method most businesses have never heard of, and it's hitting Microsoft 365 users right now. Here's exactly how it works, why…

The Phishing Attack That Bypasses Your Password AND Your MFA | 247Techify

Cybersecurity Alert

Device code phishing is the attack method most businesses have never heard of, and it's hitting Microsoft 365 users right now. Here's exactly how it works, why MFA doesn't stop it, and what your business needs to do today.

247Techify Editorial April 7, 2026 6 min read

37x Surge in device code phishing attacks in 2026

340+ Microsoft 365 organisations hit in recent campaigns

0 Fake links or suspicious attachments required

You've told your team to watch out for phishing. They know not to click suspicious links. They know not to open unexpected attachments. You've got MFA enabled on your Microsoft 365 accounts. You've done the right things.

There's a new attack that defeats all of it. And Microsoft's own security team just published an urgent warning about it today.

It's called device code phishing. It has surged 37 times in 2026. It bypasses MFA entirely. And it uses no fake links, no suspicious attachments, and no login pages that look "off." Instead, it uses real Microsoft pages, and turns your team's trust against them.

What is device code phishing?

To understand this attack, you first need to know what a "device code" is. When you try to sign into Microsoft 365 on a device that doesn't have a proper keyboard or browser, like a smart TV, a printer, or a streaming device, Microsoft gives you a short code and asks you to type it into microsoft.com/devicelogin on another device. This is a legitimate, normal feature called the OAuth 2.0 Device Authorization Grant.

Attackers figured out how to abuse this process. Instead of a legitimate device requesting access, the attacker initiates the flow themselves, then tricks your employee into entering the code. Here's the critical part: because the code is entered on a real Microsoft page, everything looks completely legitimate. And once the code is entered, the attacker receives a valid access token for that employee's account, bypassing passwords, bypassing MFA, and bypassing every technical defence you've put in place.

"Multifactor authentication provides no protection against this attack class. The victim completes the MFA challenge themselves on behalf of the attacker.", Cloud Security Alliance, March 2026

How the attack actually plays out

Here's a real-world example of how this attack arrives in a business inbox:

<div style="display:flex;gap:16px;align-items:flex-start;padding:1.25rem;margin-bottom:10px;background:#fff;border:1px solid #e0e0e0;border-radius:12px;">
  <div style="flex-shrink:0;width:32px;height:32px;border-radius:50%;background:#FAECE7;border:2px solid #D85A30;display:flex;align-items:center;justify-content:center;font-family:'Syne',sans-serif;font-size:12px;font-weight:800;color:#993C1D;margin-top:2px;">1</div>
  <div>
    <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#1a1a1a;">An email arrives with an urgent lure</strong>
    <span style="font-size:15px;color:#555;line-height:1.6;">Your employee receives an email, often about a shared document, a salary update, a security verification, or a Teams meeting recording. The email looks professionally written and urgent. Recent campaigns have used subject lines like "OCTOBER_SALARY_AMENDED" and "Security verification required."</span>
  </div>
</div>

<div style="display:flex;gap:16px;align-items:flex-start;padding:1.25rem;margin-bottom:10px;background:#fff;border:1px solid #e0e0e0;border-radius:12px;">
  <div style="flex-shrink:0;width:32px;height:32px;border-radius:50%;background:#FAECE7;border:2px solid #D85A30;display:flex;align-items:center;justify-content:center;font-family:'Syne',sans-serif;font-size:12px;font-weight:800;color:#993C1D;margin-top:2px;">2</div>
  <div>
    <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#1a1a1a;">A code is provided, it looks like an MFA code</strong>
    <span style="font-size:15px;color:#555;line-height:1.6;">The email or landing page gives your employee a short alphanumeric code, something like "D4Q8X", and instructs them to enter it at microsoft.com/devicelogin to access the document or complete verification. The page they're sent to is real. It's genuinely Microsoft's website.</span>
  </div>
</div>

<div style="display:flex;gap:16px;align-items:flex-start;padding:1.25rem;margin-bottom:10px;background:#fff;border:1px solid #e0e0e0;border-radius:12px;">
  <div style="flex-shrink:0;width:32px;height:32px;border-radius:50%;background:#FAECE7;border:2px solid #D85A30;display:flex;align-items:center;justify-content:center;font-family:'Syne',sans-serif;font-size:12px;font-weight:800;color:#993C1D;margin-top:2px;">3</div>
  <div>
    <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#1a1a1a;">The employee enters the code and completes MFA</strong>
    <span style="font-size:15px;color:#555;line-height:1.6;">Because the Microsoft page is real, your employee completes their normal MFA challenge, approves the notification, enters their authenticator code, and thinks they've successfully logged in. Everything seemed legitimate. Nothing looked suspicious.</span>
  </div>
</div>

<div style="display:flex;gap:16px;align-items:flex-start;padding:1.25rem;background:#fff;border:1px solid #e0e0e0;border-radius:12px;">
  <div style="flex-shrink:0;width:32px;height:32px;border-radius:50%;background:#FAECE7;border:2px solid #D85A30;display:flex;align-items:center;justify-content:center;font-family:'Syne',sans-serif;font-size:12px;font-weight:800;color:#993C1D;margin-top:2px;">4</div>
  <div>
    <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#1a1a1a;">The attacker now owns the account</strong>
    <span style="font-size:15px;color:#555;line-height:1.6;">The attacker's system was polling Microsoft in the background. The moment your employee authenticated, the attacker received a valid access token and refresh token, giving them full, persistent access to the account. They can read emails, download files from OneDrive, access Teams, and move through your organisation. The token persists even after a password reset.</span>
  </div>
</div>

Why this is so dangerous for small businesses

Traditional phishing has tell-tale signs that trained employees can spot, misspelled domain names, suspicious sender addresses, links that don't quite look right. Device code phishing has none of those. The emails can be well-written. The page the employee visits is genuinely microsoft.com. The MFA prompt is real. There is nothing technically "wrong" for your employee to notice.

Microsoft's security team confirmed today that the latest wave of these attacks uses AI-generated lure content that's tailored to each target, making the emails even more convincing. And a new Phishing-as-a-Service platform called EvilTokens, launched in February 2026, has made this attack available to attackers with zero technical expertise for a low monthly subscription.

What attackers do once they're in

✗ Read and exfiltrate all emails
✗ Download files from OneDrive and SharePoint
✗ Access Microsoft Teams conversations
✗ Harvest contacts and calendar data
✗ Register attacker-controlled devices to maintain access even after password resets
✗ Use the compromised account to attack colleagues and clients

What your business should do right now

<div style="background:#fff;border:1px solid #e0e0e0;border-radius:12px;padding:1.25rem;margin-bottom:12px;">
  <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#D85A30;">Action 1, Block the device code flow in Microsoft Entra ID</strong>
  <p style="font-family:'Lora',Georgia,serif;font-size:15px;color:#555;line-height:1.6;margin:0;">If your business doesn't use devices like smart TVs or printers that need this feature, you can disable it entirely via Conditional Access in Microsoft Entra ID. This is a free configuration change that eliminates the attack vector completely. Your IT provider can do this in minutes.</p>
</div>

<div style="background:#fff;border:1px solid #e0e0e0;border-radius:12px;padding:1.25rem;margin-bottom:12px;">
  <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#D85A30;">Action 2, Train your team specifically on this attack</strong>
  <p style="font-family:'Lora',Georgia,serif;font-size:15px;color:#555;line-height:1.6;margin:0;">The single most important message: any email asking your team to visit microsoft.com/devicelogin and enter a code should immediately trigger a pause and a call to verify. This isn't something people would naturally know, they need to be told explicitly. Send this blog post to your team today.</p>
</div>

<div style="background:#fff;border:1px solid #e0e0e0;border-radius:12px;padding:1.25rem;margin-bottom:12px;">
  <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#D85A30;">Action 3, Audit your OAuth app permissions</strong>
  <p style="font-family:'Lora',Georgia,serif;font-size:15px;color:#555;line-height:1.6;margin:0;">In your Microsoft Entra admin centre, review which third-party apps have been granted access to your Microsoft 365 environment. Remove any you don't recognise or no longer use. If a device code attack has already occurred, unauthorised apps may already have a foothold.</p>
</div>

<div style="background:#fff;border:1px solid #e0e0e0;border-radius:12px;padding:1.25rem;">
  <strong style="font-family:'Syne',sans-serif;font-weight:700;font-size:15px;display:block;margin-bottom:4px;color:#D85A30;">Action 4, Enable sign-in monitoring and alerts</strong>
  <p style="font-family:'Lora',Georgia,serif;font-size:15px;color:#555;line-height:1.6;margin:0;">Set up monitoring for sign-ins that use the Device Code Flow authentication method, especially from unusual IP addresses or locations. Microsoft Defender can flag these. If you have a managed IT provider, ask them to configure these alerts for you immediately.</p>
</div>

"The attack abuses a legitimate protocol feature. Because the user voluntarily enters a code into a legitimate Microsoft login page, traditional phishing filters and secure email gateways often fail to block it.", Microsoft Security Blog, April 6, 2026

The bottom line

Device code phishing is a genuinely clever attack because it turns your security infrastructure against you. Your employee doesn't click a fake link. They visit a real Microsoft page. They complete their real MFA. And you get breached anyway.

The defence isn't a technical silver bullet, it's a combination of configuration changes, employee awareness, and monitoring. None of these are complicated. But they require someone who knows what to look for and how to implement them correctly.

At 247Techify we're already helping Ontario businesses lock down their Microsoft 365 environments against exactly this attack. If you'd like us to review your configuration and train your team, start with a free conversation, it could be the most important call you make this week.

Cybersecurity Phishing Microsoft 365 Device Code Phishing IT Security Managed IT Canadian Business 247Techify

Is your Microsoft 365 protected against this attack?

247Techify can review and secure your environment, free consultation, no pressure.

Book a free review ↗

ShareX LinkedIn