PSA: The New Microsoft Login Scam That Doesn’t Need Your Password

By

If there’s one thing I’ve learned in over 40 years, it’s that scammers never stop evolving. Just when we think we’ve got our teams trained to spot a fake login page or a dodgy link, the bad guys move the goalposts.

This is a Public Service Announcement (PSA) regarding a particularly sneaky threat doing the rounds. It’s a Microsoft login scam that is “running rampant,” and here is the kicker: it has absolutely nothing to do with stealing your password.

In fact, the scammers don’t even want your password. They’ve found a way to get into your email, your Teams chats, and your company files by using a legitimate Microsoft feature against you. If you’re running a small or medium business, this is something you and your staff need to know about right now.

The Scam That Bypasses the “Traditional” Rules

For years, IT experts (including us!) have told you the same three things:

  1. Check the URL before you type your password.
  2. Don’t click on suspicious attachments.
  3. Turn on Multi-Factor Authentication (MFA).

While those are still great rules, this new “device code phishing” attack bypasses the first and third rules entirely.

Usually, a phishing attack sends you to a fake website that looks like Microsoft but is actually micros0ft-login-security.com or something equally fishy. But in this new scam, the attacker actually sends you to the real Microsoft website. Because the site is legitimate, your browser shows the green padlock, the URL is perfect, and your internal “scam radar” might not go off.

Business professional at a desk safely accessing Microsoft login services to avoid phishing scams.

How “Device Code Phishing” Works

This attack exploits a feature Microsoft designed for devices that don’t have a traditional keyboard, think of things like Smart TVs, game consoles, or printers. It’s called the Device Authorization Flow.

Here is how the scam usually plays out:

  1. The Hook: You receive an email or a message (sometimes via a compromised LinkedIn or Teams account) claiming there is an issue with your account. It might say your “Email access will expire” or “A security update is required.”
  2. The Instruction: Instead of asking for a password, the message tells you to go to a very real, very official Microsoft link: microsoft.com/devicelogin.
  3. The Code: The message gives you a specific 9-character alphanumeric code and tells you to enter it on that page to “verify your identity.”
  4. The Authorization: When you go to that real Microsoft page and enter the code, Microsoft will ask you if you want to sign in to an application. The application might be named something convincing like “Microsoft Office” or “Security Sign-in Helper.”
  5. The Payload: Once you hit “Continue,” you aren’t actually logging yourself in. You are authorizing the attacker’s device to access your account.

Why MFA Won’t Always Save You Here

This is the part that keeps IT managers up at night. Because you are performing the action on the legitimate Microsoft website, your Multi-Factor Authentication (MFA) or Two-Step Verification might trigger as usual.

You see the prompt on your phone, you think, “Yep, I’m currently trying to fix my email,” and you approve it. By approving that request, you have just handed a “Token” to the scammer.

In technical terms, they are performing an OAuth token theft. They don’t need your password because you’ve just given them a digital key (the token) that says, “This person is allowed to stay logged in.” These tokens can last for days, weeks, or even longer, allowing the attacker to bypass your login screen entirely from their own computer.

Person using a smartphone for secure device login and multi-factor authentication to protect business data.

What Happens Once They Are In?

Once the scammer has that token, they have the same access you do. For most small businesses, this is a nightmare scenario. They can:

  • Read your emails: They’ll look for invoices to intercept or sensitive client data.
  • Access your Teams: They can send messages to your staff, pretending to be you, asking for “urgent” bank transfers.
  • Scour your Files: They can browse your OneDrive or SharePoint for sensitive documents, trade secrets, or employee information.
  • Spread the Virus: They can use your legitimate account to send the same scam code to all of your contacts, making the scam look even more believable because it’s coming from a trusted source.

Other Recent Variants to Watch Out For

Our research shows that these guys are getting incredibly creative. It’s not just about the device login page anymore.

The Malicious Add-in Trick

Some attackers have started using malicious Outlook add-ins. There was a recent case involving an add-in called “AgreeTo,” which started as a legitimate tool but was later hijacked by attackers. When users opened it, a phishing kit was deployed directly inside the Outlook sidebar. It looked so native to the app that almost nobody suspected a thing.

The “Urgency” Email

We are seeing a flood of emails claiming that access will stop on a specific date (like February 5, 2026). They use generic greetings like “Dear User” and big red buttons that say “PROCEED HERE.” This is classic social engineering, trying to get you to act before you think.

The Fake Azure Alert

Sometimes, the email actually does come from a real Microsoft domain (like azure-noreply@microsoft.com). The email claims there is a fraudulent charge on your account and gives you a phone number to call. Once you’re on the phone, the “agent” (scammer) talks you through the process of “securing” your account, which, you guessed it, usually involves entering a device code.

Secure server room representing professional IT support and cloud security for small to medium businesses.

How to Protect Your Business

At Cloud Computer Company, we are big believers in IT support that focuses on prevention. Here is how you can protect your team from this specific device code scam:

  1. Never Enter a Code You Didn’t Request: The microsoft.com/devicelogin flow should only be used if you initiated it (e.g., you are trying to set up a new app on a TV). If an email asks you to go there and enter a code, it is a scam. 100% of the time.
  2. Check the “App” Name: When you enter a code on the official Microsoft site, it will tell you which application is requesting access. If it’s a name you don’t recognize, or if it’s something generic like “Cross-Platform Power App,” stop immediately.
  3. Educate Your Staff: Share this post with your team. Knowledge is the best firewall. Make sure they know that “official links” aren’t always safe if they are being used to authorize external access.
  4. Audit Your Third-Party Apps: Periodically check which applications have access to your Microsoft 365 or Google Workspace accounts. If you see something you don’t remember authorizing, revoke it.
  5. Use Conditional Access: If you have a more advanced Microsoft 365 plan, you can set up “Conditional Access” policies that block device code flow altogether or restrict it to certain trusted devices.

What to Do if You Think You’ve Been Caught

If you or an employee has accidentally entered a code:

  • Revoke All Sessions: Go to your Microsoft account security settings and choose “Sign me out of all locations.”
  • Change Your Password: While this scam doesn’t require a password, changing it is a good way to force a refresh of security tokens.
  • Check Your Sent Items: Look for any emails you didn’t send.
  • Contact Your IT Provider: If you are a client of ours, give us a buzz immediately. We can help audit your logs to see if any data was exported.

Team of professionals collaborating on cloud business security and IT consultancy strategies.

Final Thoughts

Technology is a wonderful tool for business, but it requires a bit of vigilance. Whether you’re using Cloud Business tools for communication or managing a remote fleet of Chromebooks, security should always be top of mind.

The “Device Code” scam is clever because it uses our trust in the “Official Microsoft Site” against us. Stay sharp, don’t rush through security prompts, and remember: if it feels a bit weird, it probably is.

If you’re worried about your business security or want to make sure your security settings are up to scratch, feel free to reach out to us at Cloud Computer Company. We’ve been helping businesses navigate these waters for decades, and we’re here to help you too.

Stay safe out there!

About Mathew Hoffman

Mathew Hoffman, Owner of Cloud Computer Company

Mathew Hoffman is the Owner of Cloud Computer Company. He started his career in the IT industry back in 1981, eventually moving into senior roles at the State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. One of the highlights of his career was working on the Sydney 2000 Olympics.

Since 2001, Mathew has focused on providing top-tier IT consultancy to small and medium businesses. He became an original Google Partner in 2008 and re-branded his firm to Cloud Computer Company in 2017. Now based in Noosa, Mathew is a lover of the beach, family time, and golf. He has a lifelong passion for cricket, having played and coached in both Sydney and on the Sunshine Coast.

 

CHALLENGE THE WAY YOU WORK
Total cloud solutions for your business

Consulting
Training
Deployment
Support

contact us now

Free Call

1800-312-972

Sunshine Coast

+617-5328-1488

Sydney

+612-9098-8981

Melbourne

+613-8609-9258

Los Angeles

+1-424-265-1970
logo footer

Based in Australia, as Google Workspace certified specialists, we can help you transform your business no matter where in the world you are.

Facebook-f Linkedin
Cloud Services
Other services
Cloud Computer Company
Scroll to Top