By Jordan Polasek · July 1, 2026

You did everything the security people told you to do. You turned on multi-factor authentication for your Microsoft 365 accounts, so that even if a password leaks, a login still needs that second code from your phone. That was the right call. But there's a phishing trick spreading fast right now that walks straight past MFA — not by breaking it, but by getting you to open the door from the inside.

It's called device code phishing, and over the first half of 2026 researchers have watched it explode. This is the kind of attack that hits real small businesses in Texas, because it doesn't require any fancy hacking — just a convincing email and one distracted employee.

## ⚡ The 60-Second Version

>

- What: A surging phishing technique called device code phishing that hijacks Microsoft 365 and Azure accounts without your password and without your MFA code. Researchers at Push Security tracked a roughly 37x jump in these attacks in 2026, fueled by cheap, ready-made phishing kits.
- Fix: It abuses a legitimate Microsoft login feature, so there's no patch to install. You close the door with a Conditional Access policy that blocks the "device code" sign-in flow for staff who don't need it, move toward phishing-resistant MFA (passkeys), and teach your team one simple rule: never type a code someone sent you into a Microsoft login page.
- By when: Now. The tools to run this attack are being sold as a service and are widely available.

What "device code phishing" actually is

You've probably used the honest version of this feature without thinking about it. When you sign a smart TV or a streaming stick into your account, it can't show a full keyboard, so it says: "Go to this website on your phone and enter this code." You type the short code, approve it, and the TV is logged in. That's the OAuth "device authorization" flow — a convenience built for gadgets that are hard to type on.

Attackers have learned to turn that convenience against you. Here's the con, step by step:

The unsettling part is that every step happened on Microsoft's own trusted website. There's no look-alike domain to spot, no misspelled URL. You were tricked into authorizing an attacker's device as if it were your new TV.

Why your MFA doesn't save you here

This is the detail that catches people off guard. Multi-factor authentication protects the front door — the moment you prove who you are with a password and a code. But the device code approval happens after you're already signed in. If you have an active Microsoft session in your browser, entering the code and clicking "approve" is all it takes — no password prompt, no second MFA challenge, because you already cleared those.

So MFA is doing its job perfectly, and the attacker simply walks in through a different door that opens after the security check. Worse, what they receive often includes a refresh token, which quietly renews their access for days or weeks. They can read your email, your files in OneDrive and SharePoint, and phish your customers from a trusted address — and changing your password doesn't necessarily kick them out.

Why it's exploding right now

A few years ago this took a skilled attacker. Today it's a product. Security researchers are now tracking more than a dozen phishing-as-a-service kits built specifically for this attack — EvilTokens is the most common, with names like VENOM and Tycoon2FA close behind. For a subscription fee, a criminal with no real technical skill gets polished lures, hosting, and anti-detection features baked in.

That commoditization is exactly why the numbers jumped from a 15x increase in early March to roughly 37x by mid-2026. When an attack gets cheap and easy, it stops being aimed only at big banks — it gets pointed at everyone, including the accounting firm, the clinic, and the manufacturer down the road. Small businesses running Microsoft 365 are squarely in the blast radius.

What this means for your business

Because there's no software update to apply, the fix is about configuration and habits. Here's the prioritized list for this week:

How BVTech helps

If BVTech manages your Microsoft 365, this is the quiet work we're already doing on your behalf — reviewing Conditional Access policies, tightening the device code flow, rolling out phishing-resistant MFA, and watching the sign-in logs for exactly this pattern. Our managed clients don't have to become experts in OAuth to be protected from it.

If you're running Microsoft 365 on your own and just read the words "Conditional Access policy" with a knot in your stomach — that's fair, and it's fixable. We're glad to do a no-pressure review of your identity setup and show you where the gaps are. You can book a call, look at our cybersecurity services, or run a quick self-check with our security scoreboard.

MFA is still one of the best things you can do for your business — this isn't a reason to doubt it. It's a reminder that attackers adapt, and the businesses that stay safe are the ones that adapt a step ahead of them.

— Jordan Polasek · Founder, BVTech LLC