For years, the advice around phishing has sounded roughly the same.
Look for spelling mistakes. Check the sender address. Be suspicious of urgent payment requests. Do not click strange links. Hover before you click.
All sensible advice. Still useful. Very much not dead.
But the problem is that phishing has grown up a bit. It has put on a blazer, learned how Microsoft authentication works, subscribed to some automation tools, and started behaving less like a dodgy email from a pretend prince and more like a well-rehearsed business process.
This week, Huntress reported a major rise in device-code phishing, including a reported 1,380% increase between July to December 2025 and January to April 2026. Their research also describes phishing kits that can generate personalised lures, abuse legitimate Microsoft login flows, and steal access tokens rather than passwords.
That last bit matters.
Because if attackers can gain access without needing your password, the comforting phrase “we have MFA” becomes a little less comforting.
Not useless. Not bad. Not something to switch off in a huff. MFA is still one of the most important protections a business can have.
But it is not a magic force field.
And that is the bit many growing businesses need to absorb now.
Device-code login is a legitimate feature used by services like Microsoft 365. It is designed for devices where typing a full username and password is awkward, such as TVs, consoles, printers, or certain command-line tools.
You have probably seen the pattern before:
“Go to this Microsoft page and enter this code.”
In normal use, it is convenient. The problem is that attackers can abuse that same process.
In a device-code phishing attack, the attacker starts a login session on their own device. They then trick the victim into entering a code on a real Microsoft login page. Because the page is legitimate, many of the usual phishing alarms do not go off. The victim is not necessarily typing their password into a fake website. They may even complete MFA properly.
But the session being authorised belongs to the attacker.
It is a bit like someone standing outside a secure office and saying, “Could you just badge me in? The reader is playing up.” The badge system worked. The door opened. The problem was the context.
That is why these attacks are awkward. They do not always look like a traditional fake-login-page scam. They use trusted authentication flows in the wrong way.
For larger enterprises, identity security is often a full-time discipline. They may have security operations teams, identity specialists, conditional access policies, logging, alerting, incident playbooks, and enough governance meetings to make a small forest nervous.
Smaller and mid-sized organisations are in a different position.
A 60-person healthcare provider, creative agency, finance firm, or HR analytics company may rely heavily on Microsoft 365, but not have someone continuously watching authentication logs. They may have MFA switched on and assume that means the major identity risks are covered.
That assumption is now too thin.
Microsoft 365 is not just email. It is often the front door to:
Once an attacker gets into an account, the issue is rarely just “one mailbox was accessed”.
They can study how the organisation talks. They can find payment conversations. They can impersonate senior staff. They can set inbox rules. They can move laterally. They can wait.
The quiet waiting is often the nastiest bit. Not every cyber incident arrives with flashing lights and a ransom note. Sometimes it arrives as a perfectly worded email in an existing conversation, sent at exactly the right moment, asking someone to change bank details.
Very polite. Very expensive.
The technical phrase is “OAuth token theft” or “device-code phishing”. Useful terms for security teams.
For directors and founders, the better phrase may be workflow risk.
Attackers are not simply attacking your IT. They are attacking the way your business gets things done.
If your team approves payments by email, that is a workflow.
If your clinic sends sensitive documents through Microsoft 365, that is a workflow.
If your agency shares campaign files with clients, that is a workflow.
If your finance team relies on Teams and SharePoint for deal documentation, that is a workflow.
If your HR platform connects to Microsoft identity, that is a workflow.
Modern cybercrime is increasingly good at blending into those workflows. AI-generated phishing makes the wording more believable. Automation helps attackers scale. Phishing-as-a-service tools lower the skill needed to run the attack.
In plain English: more criminals can now do convincing things faster.
That does not mean every business should panic. Panic is a poor operating model. It has terrible documentation and never remembers to renew licences.
But it does mean businesses should update their mental model.
The question is no longer, “Do we have MFA?”
The better question is, “Do we know which authentication flows are allowed, how risky sign-ins are detected, and what we would do if a Microsoft 365 account was compromised?”
You do not need to become an identity security engineer to lead this well. But you do need to ask better questions.
Here are the practical ones.
Someone should be looking for suspicious authentication patterns, unusual geographies, unfamiliar devices, impossible travel, strange token activity, and unexpected use of device-code flow.
This is where managed cybersecurity becomes very practical. It is not about buying a shiny security tool and hoping it feels loved. It is about having the visibility and response process around it.
For growing teams, this often means combining Microsoft 365 security configuration, endpoint protection, email security, and a security operations capability that can spot when something odd is happening.
Microsoft provides Conditional Access controls that can help organisations manage higher-risk authentication flows, including device-code flow.
For many businesses, device-code authentication is rarely needed by ordinary users. Where it is not required, it may be sensible to restrict it. Where it is required, it should be limited and monitored.
The right answer depends on your environment. A blanket change without understanding business impact can cause disruption. But doing nothing because “it sounds technical” is not much of a strategy either.
Detection is only half the story.
If an account is compromised, your team needs a clean response process. That may include revoking sessions and tokens, resetting credentials, reviewing MFA methods, checking mailbox rules, auditing file access, inspecting forwarding settings, and looking for signs of business email compromise.
The key is speed and calm. Not frantic clicking. Not five people in a Teams call saying, “Can you still see it?” while the attacker quietly enjoys the show.
A proper incident response checklist makes a real difference.
Traditional phishing training often focuses on bad links and fake pages. That is still useful, but it needs updating.
Staff should understand that a real Microsoft page can still be part of a malicious process if they have been tricked into entering a code or approving a login they did not initiate.
Training should be practical, short, and repeated. People do not become secure because they watched one annual awareness video while eating a sandwich.
Human risk improves through reminders, realistic testing, and a culture where reporting suspicious messages is easy rather than embarrassing.
The more access a compromised user has, the more damage an attacker can do.
That makes access reviews important. Who has access to finance files? Who can change payment details? Who has admin rights? Which ex-employees still have lingering permissions? Which shared mailboxes are quietly full of sensitive data?
This is not glamorous work. It is digital housekeeping.
But like real housekeeping, you notice when nobody does it for six months.
It would be easy to take the wrong lesson from this trend and say, “MFA can be bypassed, so what is the point?”
That is not the lesson.
The lesson is that MFA should be part of a wider identity security approach. It needs conditional access, secure configuration, monitoring, staff awareness, endpoint protection, email security, and a tested response process around it.
For a business with 20 to 150 users, that does not have to mean building an internal enterprise security department. It does mean being intentional.
The most resilient organisations tend to know:
That is the difference between having “some security tools” and having a security operating model.
One is a cupboard full of ingredients. The other is dinner.
The rise of AI-powered phishing and device-code attacks does not mean every business is doomed. It means attackers are becoming better at abusing the trust built into normal business systems.
That is an uncomfortable but useful insight.
Your Microsoft 365 environment is probably one of the most important business systems you have. It deserves the same level of care as finance, operations, clinical systems, or client delivery.
For leadership teams, the next step is not to memorise every new phishing kit name. It is to make sure someone competent is checking the fundamentals:
Strong cybersecurity is rarely one dramatic move. More often, it is a series of sensible decisions made before the bad day arrives.
Very boring. Very valuable. Exactly the kind of boring you want.
If you are not sure how exposed your Microsoft 365 environment is, book a black box assessment with Unizen. We will help identify practical risks, weak spots, and priority improvements so you can make security decisions with clearer evidence and less guesswork.