Your MFA Is Not Broken. But Attackers Have Found the Side Door

AI-powered phishing and device-code attacks are changing how Microsoft 365 accounts get compromised. Here is what business leaders need to know, and what to check now.

Shaun Randhawa
Jun 24, 2026

The New Phishing Problem Is Not Just “Better Emails”

For years, the advice around phishing has sounded roughly the same.

Look for spelling mistakes. Check the sender address. Be suspicious of urgent payment requests. Do not click strange links. Hover before you click.

All sensible advice. Still useful. Very much not dead.

But the problem is that phishing has grown up a bit. It has put on a blazer, learned how Microsoft authentication works, subscribed to some automation tools, and started behaving less like a dodgy email from a pretend prince and more like a well-rehearsed business process.

This week, Huntress reported a major rise in device-code phishing, including a reported 1,380% increase between July to December 2025 and January to April 2026. Their research also describes phishing kits that can generate personalised lures, abuse legitimate Microsoft login flows, and steal access tokens rather than passwords.

That last bit matters.

Because if attackers can gain access without needing your password, the comforting phrase “we have MFA” becomes a little less comforting.

Not useless. Not bad. Not something to switch off in a huff. MFA is still one of the most important protections a business can have.

But it is not a magic force field.

And that is the bit many growing businesses need to absorb now.

What Is Device-Code Phishing?

Device-code login is a legitimate feature used by services like Microsoft 365. It is designed for devices where typing a full username and password is awkward, such as TVs, consoles, printers, or certain command-line tools.

You have probably seen the pattern before:

“Go to this Microsoft page and enter this code.”

In normal use, it is convenient. The problem is that attackers can abuse that same process.

In a device-code phishing attack, the attacker starts a login session on their own device. They then trick the victim into entering a code on a real Microsoft login page. Because the page is legitimate, many of the usual phishing alarms do not go off. The victim is not necessarily typing their password into a fake website. They may even complete MFA properly.

But the session being authorised belongs to the attacker.

It is a bit like someone standing outside a secure office and saying, “Could you just badge me in? The reader is playing up.” The badge system worked. The door opened. The problem was the context.

That is why these attacks are awkward. They do not always look like a traditional fake-login-page scam. They use trusted authentication flows in the wrong way.

Why This Matters For 20 To 150 User Businesses

For larger enterprises, identity security is often a full-time discipline. They may have security operations teams, identity specialists, conditional access policies, logging, alerting, incident playbooks, and enough governance meetings to make a small forest nervous.

Smaller and mid-sized organisations are in a different position.

A 60-person healthcare provider, creative agency, finance firm, or HR analytics company may rely heavily on Microsoft 365, but not have someone continuously watching authentication logs. They may have MFA switched on and assume that means the major identity risks are covered.

That assumption is now too thin.

Microsoft 365 is not just email. It is often the front door to:

  • Outlook and Teams conversations
  • OneDrive and SharePoint files
  • invoices, contracts, HR data, and board papers
  • client communications
  • finance workflows
  • patient, employee, or commercially sensitive information
  • third-party apps connected through Microsoft identity

Once an attacker gets into an account, the issue is rarely just “one mailbox was accessed”.

They can study how the organisation talks. They can find payment conversations. They can impersonate senior staff. They can set inbox rules. They can move laterally. They can wait.

The quiet waiting is often the nastiest bit. Not every cyber incident arrives with flashing lights and a ransom note. Sometimes it arrives as a perfectly worded email in an existing conversation, sent at exactly the right moment, asking someone to change bank details.

Very polite. Very expensive.

The Business Risk Is Workflow Risk

The technical phrase is “OAuth token theft” or “device-code phishing”. Useful terms for security teams.

For directors and founders, the better phrase may be workflow risk.

Attackers are not simply attacking your IT. They are attacking the way your business gets things done.

If your team approves payments by email, that is a workflow.
If your clinic sends sensitive documents through Microsoft 365, that is a workflow.
If your agency shares campaign files with clients, that is a workflow.
If your finance team relies on Teams and SharePoint for deal documentation, that is a workflow.
If your HR platform connects to Microsoft identity, that is a workflow.

Modern cybercrime is increasingly good at blending into those workflows. AI-generated phishing makes the wording more believable. Automation helps attackers scale. Phishing-as-a-service tools lower the skill needed to run the attack.

In plain English: more criminals can now do convincing things faster.

That does not mean every business should panic. Panic is a poor operating model. It has terrible documentation and never remembers to renew licences.

But it does mean businesses should update their mental model.

The question is no longer, “Do we have MFA?”

The better question is, “Do we know which authentication flows are allowed, how risky sign-ins are detected, and what we would do if a Microsoft 365 account was compromised?”

What Leaders Should Ask Their IT Provider

You do not need to become an identity security engineer to lead this well. But you do need to ask better questions.

Here are the practical ones.

1. Are We Monitoring Risky Microsoft 365 Sign-Ins?

Someone should be looking for suspicious authentication patterns, unusual geographies, unfamiliar devices, impossible travel, strange token activity, and unexpected use of device-code flow.

This is where managed cybersecurity becomes very practical. It is not about buying a shiny security tool and hoping it feels loved. It is about having the visibility and response process around it.

For growing teams, this often means combining Microsoft 365 security configuration, endpoint protection, email security, and a security operations capability that can spot when something odd is happening.

2. Can We Restrict Device-Code Authentication?

Microsoft provides Conditional Access controls that can help organisations manage higher-risk authentication flows, including device-code flow.

For many businesses, device-code authentication is rarely needed by ordinary users. Where it is not required, it may be sensible to restrict it. Where it is required, it should be limited and monitored.

The right answer depends on your environment. A blanket change without understanding business impact can cause disruption. But doing nothing because “it sounds technical” is not much of a strategy either.

3. What Happens After A Suspicious Login?

Detection is only half the story.

If an account is compromised, your team needs a clean response process. That may include revoking sessions and tokens, resetting credentials, reviewing MFA methods, checking mailbox rules, auditing file access, inspecting forwarding settings, and looking for signs of business email compromise.

The key is speed and calm. Not frantic clicking. Not five people in a Teams call saying, “Can you still see it?” while the attacker quietly enjoys the show.

A proper incident response checklist makes a real difference.

4. Are Staff Trained For Modern Phishing?

Traditional phishing training often focuses on bad links and fake pages. That is still useful, but it needs updating.

Staff should understand that a real Microsoft page can still be part of a malicious process if they have been tricked into entering a code or approving a login they did not initiate.

Training should be practical, short, and repeated. People do not become secure because they watched one annual awareness video while eating a sandwich.

Human risk improves through reminders, realistic testing, and a culture where reporting suspicious messages is easy rather than embarrassing.

5. Do We Have Enough Governance Around Access?

The more access a compromised user has, the more damage an attacker can do.

That makes access reviews important. Who has access to finance files? Who can change payment details? Who has admin rights? Which ex-employees still have lingering permissions? Which shared mailboxes are quietly full of sensitive data?

This is not glamorous work. It is digital housekeeping.

But like real housekeeping, you notice when nobody does it for six months.

MFA Still Matters. It Just Needs Friends.

It would be easy to take the wrong lesson from this trend and say, “MFA can be bypassed, so what is the point?”

That is not the lesson.

The lesson is that MFA should be part of a wider identity security approach. It needs conditional access, secure configuration, monitoring, staff awareness, endpoint protection, email security, and a tested response process around it.

For a business with 20 to 150 users, that does not have to mean building an internal enterprise security department. It does mean being intentional.

The most resilient organisations tend to know:

  • what their Microsoft 365 environment looks like
  • which controls are actually enabled
  • where their sensitive data lives
  • who has privileged access
  • how suspicious activity is monitored
  • who responds when something goes wrong
  • what evidence they can show for insurance, audits, or client due diligence

That is the difference between having “some security tools” and having a security operating model.

One is a cupboard full of ingredients. The other is dinner.

The Practical Takeaway

The rise of AI-powered phishing and device-code attacks does not mean every business is doomed. It means attackers are becoming better at abusing the trust built into normal business systems.

That is an uncomfortable but useful insight.

Your Microsoft 365 environment is probably one of the most important business systems you have. It deserves the same level of care as finance, operations, clinical systems, or client delivery.

For leadership teams, the next step is not to memorise every new phishing kit name. It is to make sure someone competent is checking the fundamentals:

  • Are risky authentication flows controlled?
  • Are alerts being reviewed?
  • Are users trained on current attack methods?
  • Are admin accounts properly protected?
  • Are suspicious sessions quickly revoked?
  • Are backups, recovery, and incident response tested?
  • Is there a clear owner for improving security over time?

Strong cybersecurity is rarely one dramatic move. More often, it is a series of sensible decisions made before the bad day arrives.

Very boring. Very valuable. Exactly the kind of boring you want.

If you are not sure how exposed your Microsoft 365 environment is, book a black box assessment with Unizen. We will help identify practical risks, weak spots, and priority improvements so you can make security decisions with clearer evidence and less guesswork.

Sources Used

Similar posts

Get notified on new marketing insights

Be the first to know about new B2B SaaS Marketing insights to build or refine your marketing function with the tools and knowledge of today’s industry.