Device code phishing hits record levels — hundreds of M365 accounts compromised daily
Microsoft reports 10-15 campaigns per day. How to block the attack in Conditional Access.
Microsoft reports that 10-15 device code phishing campaigns run every day since mid-March 2026. Hundreds of M365 accounts are compromised daily. This is not a theoretical threat — it is happening right now.
How the attack works
The attacker sends an AI-generated email that appears to come from a colleague or business contact. The email contains a link to Microsoft's legitimate device code login page (microsoft.com/devicelogin) and a code to enter.
When the victim enters the code and authenticates with MFA, they hand the attacker a valid OAuth token. The attacker gains full mailbox access, creates inbox rules to hide their tracks, and registers their own devices for persistent access.
What makes the attack effective: everything happens on Microsoft's real login page. There is no fake website to detect.
Who gets targeted
Finance, executive, and admin users are the primary targets. AI-generated emails are tailored to the recipient's role — RFPs for salespeople, invoices for accounting, workflows for operations.
What you should do
- Block device code flow in
Conditional Access. Most organizations do not need device code flow. Create a CA policy that blocks it for all users except an exception group. - Review sign-in logs. Filter by
deviceCodeas the authentication method in Entra ID logs. Unusual patterns = red flag. - Enable risk-based CA policies.
Sign-in riskandUser riskin Entra ID Protection catch anomalous token behavior.
How HaggeBurger can help
We offer a Conditional Access review where we block device code flow and audit sign-in logs. Takes 2-3 hours for most environments. Get in touch and we will schedule it.