New Microsoft scam turns security feature against users

A new Microsoft login scam is spreading, stealing users private information. Shockingly, it doesn’t rely on stolen passwords. Hackers are exploiting Microsoft’s device code login, a legitimate authentication feature, to trick users into giving access to their accounts.

This scam utilises a technique known as device code phishing that enables the attackers to generate a code and convince victims to enter it on their device, giving the hackers full access to their account.

How does Microsoft security scam works?

Microsoft security experts says that the device code login is meant for devices that cannot display a full authentication page. Attackers start a login session on their own device and generate a valid code.

They then send their victims this code through emails and messages that mimic urgent Microsoft 365 notifications. When they enter the code, they are unwittingly providing the attacker with an access token and handing them control of their accounts.

This phishing scam is difficult to identify, as it looks authentic and is different from others because it actually gives attackers control of accounts by turning one of Microsoft’s security features on itself.

How to protect your Microsoft account?

To stay safe, Microsoft users should:

• Only enter device codes they initiated themselves
• Avoid entering codes sent via email or message unexpectedly
• Treat unrequested prompts or MFA notifications as suspicious
• Regularly review account activity for unknown logins

Understanding how device code login works is critical. Microsoft never sends codes randomly, so any unexpected prompt is a potential attack.