The Microsoft 365 Phishing Scam That Skips the Fake Page

A phishing campaign making the rounds this summer does not bother faking your Microsoft login page. It sends you straight to the real one, and by the time you realize what happened, an attacker already has your account.

According to The Hacker News, the security firm ZeroBEC recently documented a Microsoft 365 attack that uses collaboration-style messages, the kind that look like a meeting invite or a shared file notification, to walk victims through Microsoft's own device sign-in screen. The report describes a technique that skips a fake password page entirely and instead tricks the user into entering a code the attacker generated, on the actual microsoft.com login flow, while a backend system quietly captures the resulting access token.

If that sounds familiar, it should. Microsoft first documented this pattern in February 2025 under the name Storm-2372, tied to a Russia-aligned group that used messaging apps and fake meeting invites to compromise government agencies and other high-value targets. Microsoft's own security blog laid out the mechanics at the time. What has changed since then is who is using it. The technique has moved from a narrow set of nation-state operations into packaged, reusable phishing kits that any criminal group can rent, and small businesses and professional practices are squarely in range now.

How this attack actually works

Microsoft, like a lot of services, supports a sign-in method called the device code flow. It exists for devices that cannot easily type a password, think a smart TV app or a command line tool, where you visit a short web address, enter a code, and the device gets signed in on your behalf. It is a legitimate, useful feature.

The attack repurposes that exact feature. The attacker starts the device sign-in process themselves, which generates a real code. They send that code to a target through what looks like an ordinary business message, a shared document, a meeting reminder, a benefits update. The message tells the recipient to enter the code to view the file or confirm the meeting. The recipient goes to Microsoft's actual sign-in page, types in a code they never generated, and signs in with their real credentials. From the user's side, nothing looks wrong. From the attacker's side, they now hold a valid access token for that person's account.

There is no password to steal and no fake page to spot. The entire interaction happens on legitimate Microsoft infrastructure, which is exactly why it gets past people who have been trained to check a URL before typing their credentials.

Why this is a bigger problem than it looks

For a small business or a legal practice, the real damage here is not the login itself. It is what a compromised Microsoft 365 account gives an attacker access to: email, OneDrive files, SharePoint libraries, calendar details, and often a foothold to send more convincing phishing messages from inside your own organization. For a law office in particular, that means client correspondence and case files sitting in the same account an attacker just walked into.

A detail that catches a lot of people off guard: the access token this attack captures typically stays valid even after the account password is changed. A password reset is the instinctive first move after any account compromise, and here it does not close the door on its own. Cutting off access after this kind of breach means revoking active sessions and app tokens directly, not just changing the password and hoping for the best.

What stops this attack

The first fix is not user training, it is a technical setting. Microsoft's own hardening guidance for this exact threat is to restrict the device code sign-in flow so it is only allowed where your business genuinely needs it, and blocked everywhere else through a Conditional Access policy. Most small businesses have no daily need for device code sign-in, which means it can often be locked down without disrupting anyone's normal workday. This is the kind of setting a vCIO engagement would catch during a security review, since it is not something most business owners know to ask about.

User awareness still matters, but it has to be specific. The habit to build is not "watch for fake login pages." It is "never enter a code that someone else sent you, even if the message looks like it came from a coworker or a familiar app." That single habit defeats the entire attack, regardless of how convincing the lure looks.

For staff who handle sensitive client data daily, this is also a good moment to move past app-based two-factor codes and toward phishing-resistant authentication methods generally. That shift will not stop someone from being tricked into the device code flow itself, but it raises the bar everywhere else in your environment.

If your team's support setup does not already include a documented policy on Conditional Access and sign-in methods, close that gap now, before an attacker finds it instead of your IT provider.


Frequently Asked Questions (FAQs)

Q: How is device code phishing different from a normal phishing email?

A: A normal phishing email sends you to a fake login page that mimics Microsoft, hoping you type your password into it. Device code phishing sends you to Microsoft's real login page and tricks you into entering a code the attacker generated. There is no fake page to spot, which is what makes it harder to catch.

Q: Does two-factor authentication protect me from this?

A: Not on its own. This attack does not ask for your MFA code directly. It uses a sign-in method that produces a valid access token once you complete the real login, MFA included, so the usual second-factor prompt does not stop it. The stronger defense is restricting when device code sign-in is allowed at all.

Q: What should I do if I think I already entered a code from an untrusted message?

A: Contact your IT provider immediately and have them revoke active sessions and app tokens for the account, not just reset the password. Check recent email rules, sent items, and file access for anything unfamiliar, since the point of this attack is quiet, ongoing access rather than a one-time break-in.

Q: Is this really a threat for a small business, or mostly large companies and governments?

A: It started with nation-state groups targeting government and defense targets, but the tools have since spread into commercial phishing kits used by financially motivated criminals. Any business running Microsoft 365, regardless of size, is a viable target now.

Q: Can a hardware security key stop this attack completely?

A: Not by itself, since the attack routes around normal sign-in prompts rather than through them. A security key strengthens every other login path in your business, which matters, but the direct fix for this specific technique is restricting device code sign-in through your Microsoft 365 security settings.


About the author. Justin White is the founder of TechGents, an owner-operated IT consulting firm in Springfield, IL. He has nearly two decades of experience across Apple, Windows, and mixed-platform environments, helping small businesses and professionals across Sangamon County and Central Illinois run their technology without an internal IT department.


The single most useful step here is checking whether device code sign-in is even enabled for your Microsoft 365 environment, and restricting it if it does not need to be.

If you are not sure how to check that setting, or what else might be quietly exposed in your security configuration, a vCIO engagement is built to find exactly this kind of gap before it becomes a real incident.

Have questions about your own setup? Get in touch and we will walk through it together.

Next
Next

What the BIPA Ruling Means for Springfield Businesses