A new Microsoft login scam is spreading, stealing users private information. Shockingly, it doesn’t rely on stolen passwords. Hackers are exploiting Microsoft’s device code login, a legitimate authentication feature, to trick users into giving access to their accounts.
This scam utilises a technique known as device code phishing that enables the attackers to generate a code and convince victims to enter it on their device, giving the hackers full access to their account.
Microsoft security experts says that the device code login is meant for devices that cannot display a full authentication page. Attackers start a login session on their own device and generate a valid code.
They then send their victims this code through emails and messages that mimic urgent Microsoft 365 notifications. When they enter the code, they are unwittingly providing the attacker with an access token and handing them control of their accounts.
This phishing scam is difficult to identify, as it looks authentic and is different from others because it actually gives attackers control of accounts by turning one of Microsoft’s security features on itself.
To stay safe, Microsoft users should:
Understanding how device code login works is critical. Microsoft never sends codes randomly, so any unexpected prompt is a potential attack.