Most of us trust a Microsoft login page when the address looks right and MFA works as expected. But a new phishing attack shows why a real login page can still be tied to the wrong request. We’ll take a look at device code phishing and the threat it presents as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• How the Tycoon2FA phishing platform is using device code phishing to target Microsoft 365 accounts
• Why a real Microsoft login page and a legitimate MFA prompt can still be part of a phishing attack
• How attackers trick users into approving access to their own accounts without ever entering a fake website
• What access tokens are, and why obtaining them can give attackers a foothold in your email, files, and business data
• The three questions every employee should ask before entering a Microsoft device login code
• What business leaders and IT teams can do to review and strengthen Microsoft 365 access controls

Video Transcript

Researchers are tracking a phishing platform called Tycoon2FA that is now using a method known as device code phishing to target Microsoft 365 accounts. You may have seen this type of login before when connecting an app, service, or device to your Microsoft account. Instead of typing your full password into that device, Microsoft gives you a short code and asks you to enter it at microsoft.com/devicelogin.

In the right context, that process is useful. You start the sign-in, you know what device or app you are connecting, and you approve access on purpose. The problem starts when an attacker creates the code and convinces you to enter it.

According to researchers, this campaign often begins with a phishing email that looks like a routine business message, such as an invoice. The link sends the victim through several redirects before landing on a fake Microsoft-themed page. From there, the page shows a code and tells the user to enter it on Microsoft’s real device login page.

That is what makes this attack so easy to trust. The website where the user signs in is real, the Microsoft login process is real, and the MFA prompt may also be real. But the code connects back to a session controlled by the attacker.

So from the user’s point of view, it may feel like they are opening a document, checking an invoice, or completing a normal Microsoft verification step. Behind the scenes, they may be giving the attacker permission to access their Microsoft 365 account.

Once that approval happens, Microsoft can issue access tokens for the account. Those tokens may give the attacker access to email, calendars, cloud files, and other connected business data. For a business, that can expose internal conversations, financial messages, shared documents, vendor details, and client information.

This does not mean MFA is broken. MFA is still one of the most important protections a business can use. But it does show how attackers are shifting their approach from stealing passwords to tricking users into approving access.

For employees, the warning sign is the code itself. If an unexpected email sends you to a page that gives you a code and asks you to enter it at microsoft.com/devicelogin, pause before continuing. That page should only be used when you personally started the sign-in for a device, app, or service you recognize.

Before entering a Microsoft device login code, ask yourself three questions. Did I start this sign-in? Do I recognize the device or app? Do I understand what I am authorizing?

If any of those answers are no, stop and report the message to your IT team. That small pause can prevent a normal-looking login request from becoming a doorway into business email, files, and internal communication.

For business leaders and IT teams, this is also a good time to review how Microsoft 365 access is managed. Organizations should evaluate whether device code login is needed, limit which apps users can approve, require admin consent for third-party app access when appropriate, and monitor Microsoft Entra logs for unusual device code sign-ins.

If your organization needs help reviewing Microsoft 365 security settings, strengthening login policies, or helping employees recognize newer phishing tactics, contact Rocket IT using the link in this video’s description. And to stay up to date on trending technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.