You did everything the security people told you to do. You turned on multi-factor authentication for your Microsoft 365 accounts, so that even if a password leaks, a login still needs that second code from your phone. That was the right call. But there's a phishing trick spreading fast right now that walks straight past MFA — not by breaking it, but by getting you to open the door from the inside.
It's called device code phishing, and over the first half of 2026 researchers have watched it explode. This is the kind of attack that hits real small businesses in Texas, because it doesn't require any fancy hacking — just a convincing email and one distracted employee.
## ⚡ The 60-Second Version
>
- What: A surging phishing technique called device code phishing that hijacks Microsoft 365 and Azure accounts without your password and without your MFA code. Researchers at Push Security tracked a roughly 37x jump in these attacks in 2026, fueled by cheap, ready-made phishing kits.
- Fix: It abuses a legitimate Microsoft login feature, so there's no patch to install. You close the door with a Conditional Access policy that blocks the "device code" sign-in flow for staff who don't need it, move toward phishing-resistant MFA (passkeys), and teach your team one simple rule: never type a code someone sent you into a Microsoft login page.
- By when: Now. The tools to run this attack are being sold as a service and are widely available.
What "device code phishing" actually is
You've probably used the honest version of this feature without thinking about it. When you sign a smart TV or a streaming stick into your account, it can't show a full keyboard, so it says: "Go to this website on your phone and enter this code." You type the short code, approve it, and the TV is logged in. That's the OAuth "device authorization" flow — a convenience built for gadgets that are hard to type on.
Attackers have learned to turn that convenience against you. Here's the con, step by step:
- The attacker asks Microsoft for one of those device codes — for their device, pretending to be a normal app.
- They send you a believable message: a fake "your Microsoft session expired," a shared-document lure, or an IT-support note, telling you to visit the real Microsoft login page and enter the code.
- You enter the code on the genuine Microsoft site — the URL is legit, the padlock is real, everything looks right — and you approve it.
- Microsoft hands the login tokens to the attacker's device. They're now in your account.
The unsettling part is that every step happened on Microsoft's own trusted website. There's no look-alike domain to spot, no misspelled URL. You were tricked into authorizing an attacker's device as if it were your new TV.
Why your MFA doesn't save you here
This is the detail that catches people off guard. Multi-factor authentication protects the front door — the moment you prove who you are with a password and a code. But the device code approval happens after you're already signed in. If you have an active Microsoft session in your browser, entering the code and clicking "approve" is all it takes — no password prompt, no second MFA challenge, because you already cleared those.
So MFA is doing its job perfectly, and the attacker simply walks in through a different door that opens after the security check. Worse, what they receive often includes a refresh token, which quietly renews their access for days or weeks. They can read your email, your files in OneDrive and SharePoint, and phish your customers from a trusted address — and changing your password doesn't necessarily kick them out.
Why it's exploding right now
A few years ago this took a skilled attacker. Today it's a product. Security researchers are now tracking more than a dozen phishing-as-a-service kits built specifically for this attack — EvilTokens is the most common, with names like VENOM and Tycoon2FA close behind. For a subscription fee, a criminal with no real technical skill gets polished lures, hosting, and anti-detection features baked in.
That commoditization is exactly why the numbers jumped from a 15x increase in early March to roughly 37x by mid-2026. When an attack gets cheap and easy, it stops being aimed only at big banks — it gets pointed at everyone, including the accounting firm, the clinic, and the manufacturer down the road. Small businesses running Microsoft 365 are squarely in the blast radius.
What this means for your business
Because there's no software update to apply, the fix is about configuration and habits. Here's the prioritized list for this week:
- Restrict the device code flow. In Microsoft Entra (Azure AD), create a Conditional Access policy that blocks device-code sign-ins for users who don't genuinely need them. Roll it out in report-only mode first so you can see who actually uses the feature (developer tools like the GitHub or Azure CLI legitimately do) before you turn on enforcement. This one setting shuts the door on the whole attack for most staff.
- Teach the one rule. Make sure everyone understands: you should never enter a code that someone else gave you into a Microsoft or Google login page. Real device codes only ever come from a device you are setting up, right in front of you. A code that arrives by email, text, or a support call is a scam, full stop.
- Move toward phishing-resistant MFA. App-based codes are far better than nothing, but passkeys and FIDO2 security keys are the gold standard and resist these identity tricks far better. Start with your highest-risk accounts — owners, finance, and admins.
- Watch your sign-in logs. Review Microsoft 365 sign-in activity for unexpected "device code" authentications and logins from unfamiliar locations or IP addresses. Catching one early can mean the difference between a scare and a breach.
- Shorten the leash. Tighten session lifetimes and enable token protection where your licensing allows, so a stolen token can't ride along for weeks.
How BVTech helps
If BVTech manages your Microsoft 365, this is the quiet work we're already doing on your behalf — reviewing Conditional Access policies, tightening the device code flow, rolling out phishing-resistant MFA, and watching the sign-in logs for exactly this pattern. Our managed clients don't have to become experts in OAuth to be protected from it.
If you're running Microsoft 365 on your own and just read the words "Conditional Access policy" with a knot in your stomach — that's fair, and it's fixable. We're glad to do a no-pressure review of your identity setup and show you where the gaps are. You can book a call, look at our cybersecurity services, or run a quick self-check with our security scoreboard.
MFA is still one of the best things you can do for your business — this isn't a reason to doubt it. It's a reminder that attackers adapt, and the businesses that stay safe are the ones that adapt a step ahead of them.
— Jordan Polasek · Founder, BVTech LLC