Hackers Are Breaking Into Microsoft 365 Without Stealing Your Password

A new attack method bypasses MFA and uses Microsoft’s own login system against you. Every business owner using Microsoft 365 needs to read this.

Most small business owners believe that a strong password and multi-factor authentication make their Microsoft 365 accounts secure. That assumption is now being exploited at scale. Attackers are targeting Microsoft 365 users with device code authorization phishing – a technique that fools users into approving access tokens, bypassing multi-factor authentication protection entirely.

Campaigns using this method have surged since September 2025, representing a significant shift from limited, targeted attacks to widespread exploitation. Both organized criminal groups and nation-state actors are now using it. If your business runs on Microsoft 365, and most do, you need to act.

How the Attack Works

Microsoft has a login feature designed for devices like smart TVs and printers that can’t display a normal login screen. Instead of typing credentials on the device, a user visits a Microsoft page on their phone or computer and enters a short code. It’s a legitimate, trusted system.

Attackers exploit that trust. They initiate the device login flow themselves, then send your employee an email designed to get them to visit Microsoft’s real login page and enter the code – completing the attacker’s authentication instead of their own.

Your employee does everything right. They visit a real Microsoft website. They complete their MFA. They never hand over their password. And the attacker now has full access to your Microsoft 365 environment.

Action Steps for Your Business

Take these steps now with your IT team or provider:

  1. Block device code flow in Microsoft Entra Conditional Access. This is the strongest mitigation available and can be deployed in report-only mode first to assess impact before full rollout. Most small businesses don’t use this feature and have no reason to leave it enabled.
  2. Audit your Microsoft 365 OAuth app permissions. Review which third-party applications have access to your tenant and remove anything unauthorized.
  3. Train your team on this specific attack. Standard phishing training won’t cover it. The key message is simple: if you receive a request to enter a code on a Microsoft login page that you didn’t initiate, stop and report it.
  4. Review sign-in logs for your Microsoft 365 accounts. Unusual locations, unfamiliar devices, and off-hours logins are indicators of compromise.
  5. Check for email forwarding rules set up without your knowledge. This is a common post-compromise action attackers use to quietly collect your outgoing email.
  6. Review your cyber liability coverage. Confirm that account takeover scenarios are covered and understand what your response obligations are.

Q&A: What Your Clients or Partners May Ask

“How did this happen if you had MFA turned on?”
This attack bypasses both traditional credential theft defenses and multi-factor authentication controls. MFA was never designed to protect against this type of authentication abuse.

“Could my information have been accessed?”
If a business email account is compromised, any data in that account – client correspondence, contracts, financial information – is potentially accessible to the attacker.

“Is this being fixed by Microsoft?”
Microsoft has released tools to block it, but those tools require configuration. Microsoft has been rolling out a managed Conditional Access policy aimed at blocking device code flow authentication, but it requires an administrator to enable and configure it. It doesn’t happen automatically.

“Should I be worried about my own accounts?”
If you share Microsoft 365 services with a vendor or partner whose account is compromised, there’s risk of lateral movement. Security is a supply chain concern, not just an internal one.

How Farmhouse Networking Can Help

Farmhouse Networking reviews and configures Microsoft Entra Conditional Access policies to block device code phishing, audits your Microsoft 365 environment for existing unauthorized access, trains your staff on this and other current attack types, and monitors your accounts ongoing. We work with small and mid-sized businesses across Oregon, Northern California, and New Mexico – and we explain everything in plain language without the IT jargon.

Take the Next Step

Email support@farmhousenetworking.com today and ask for a Microsoft 365 security review. We’ll tell you whether this attack vector is currently open in your environment and what it takes to close it.

Posted in : Cyber Security Training, Cybersecurity for Small Business, Email Security Solutions, Managed IT Security Services, Managed IT Services, Microsoft 365 Security, Office 365, Phishing

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2026 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Error: Contact form not found.

And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10