device code phishing

We’re seeing a new form of device code phishing, and it’s worth understanding because it breaks the rules most of us were taught to rely on when it comes to business email security.

A Phishing Attack Built to Pass Inspection

This attack specifically targets the accounts businesses use every day, such as SharePoint, OneDrive, and Outlook, making it one of the more pressing Microsoft 365 security issues we’re tracking right now. What makes it worth writing about isn’t just that it’s effective. It’s that the standard precautions we’ve all been trained on for years, checking the URL, checking whether the sending email looks legitimate, simply don’t catch it.

Here’s how it plays out. The attack begins with an email that looks entirely routine, often resembling a notification that a document has been shared with you. It directs you to a page displaying a short verification code, with instructions to confirm that code on Microsoft’s own sign-in page. Because that final step happens on Microsoft’s genuine website, the real one, with the real domain, the real certificate, everything about the experience looks legitimate. That’s not an accident. It’s the entire design of the attack.

What’s Actually Happening Behind the Scenes in Microsoft 365

One recent campaign associated with the Kali365 toolkit demonstrates how device code phishing can be used to obtain Microsoft 365 access tokens without stealing a user’s password. The code you’re asked to enter doesn’t simply verify your identity. It approves a sign-in request that was initiated by someone else, granting that person access to your account alongside your own. Security teams refer to this technique as device code phishing or token theft. The distinction matters: the attacker never sees or steals your password. Instead, they obtain a token, a small piece of data exchanged between your computer and the server once you’ve already logged in, essentially proof that you are who you say you are. Once they have that token, they don’t need your password at all. Because the attacker is using a valid authentication token rather than a stolen password, many traditional security controls fail to recognize the activity as suspicious.

Why the Usual Business Email Security Advice Stops Working

Here’s the part that catches even careful people off guard. Once an attacker compromises a single email account this way, they use that legitimate, real account to send the next wave of phishing emails. At that point, even the gold-standard advice, “check the sender before you open anything,” no longer helps as a business email security safeguard. The source account isn’t spoofed or faked. It’s completely authentic. It just happens to belong to someone who already got compromised.

This is also why these messages are so convincing in the first place. They’re frequently built to mimic tools like SharePoint and OneDrive down to the pixel, because attackers are deliberately exploiting the trust we place in familiar names and familiar-looking interfaces. The more legitimate something looks, the less we question it, and that’s precisely the vulnerability this phishing attack is built to exploit.

Screenshots and Details

Credit where credit is due. Hornetsecurity has done a great job detailing how this attack can play out, including screenshots, in their write-up on device code phishing. A quick word of caution, however: this is merely an example. Email content varies, as does the attack vector.

What You Can Actually Do About It

The good news is that the defense doesn’t require new technical skills, just a shift in what you’re checking. Before you act on a code, a login prompt, or a “document shared with you” notification, ask yourself one simple question: was I expecting this? If there’s any doubt at all, don’t proceed. Forward the message to your IT team first. It costs a few seconds, and it’s always the right call when something feels even slightly off.

We’re Already Watching for This Microsoft 365 Security Threat

Our IT Services team has already caught this attack in progress, and it’s worth noting there are both proactive and reactive tools to combat this threat. On the proactive side, a company can implement things like Phishing-Resistant MFA, Token Protection, and Entra ID Protection Risk-Based Conditional Access. On the reactive side, companies should be monitoring for unusual behavior, such as bulk emails and activity during unusual hours.

However, our best line of defense isn’t a tool. It’s vigilance. If you think you may have clicked something you shouldn’t have, or entered a code you weren’t expecting to, let your IT Services team know immediately. The faster we know, the faster we can act.

As a provider of managed IT services in Dallas, we see firsthand how quickly a single device code phishing attack can spread through a Microsoft 365 environment once one account is compromised. If your organization needs help securing Microsoft 365, reviewing Conditional Access policies, implementing phishing-resistant MFA, or strengthening overall business email security, our cybersecurity services team can help. Whether you need ongoing managed security services, IT support in Dallas, or Texas cybersecurity consulting, we’re here to help you stay ahead of threats like this.

See More: https://www.hornetsecurity.com/en/blog/kali365-device-code-phishing/

Subscribe for latest news & insights
Related articles