Listen to the episode
TLDR
Attackers are using a clever phishing trick that abuses Microsoft’s own legitimate login page (microsoft.com/devicelogin). Instead of sending you to a fake site, they trick you into visiting the real Microsoft site and typing a code they...
How it works
Attackers are using a clever phishing trick that abuses Microsoft’s own legitimate login page (microsoft.com/devicelogin). Instead of sending you to a fake site, they trick you into visiting the real Microsoft site and typing a code they...
Red flags
- : Someone (by email, SMS, or chat) instructs you to go to microsoft.com/devicelogin and enter a code they sent you. A login screen asks you to grant broad permissions (mail, files, profile) to an unfamiliar app. Pressure to act quickly, often framed as a security alert or urgent task from IT
What to do
- 1: Never enter a device code sent to you by someone else — legitimate flows originate from a device you own. Review Microsoft account permissions regularly at entra.microsoft.com and revoke unknown app consents. Enable MFA, use phishing resistant keys (FIDO2/Windows Hello), and report suspicious device login prompts to your
Source
securelist
Source reviewed by Mythos Forensic Team
https://securelist.com/microsoft-device-code-phishing-attack/120350/FAQ
Is Device Code Phishing: How Attackers Exploit Microsoft Login to Steal Your Account a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
: Someone (by email, SMS, or chat) instructs you to go to microsoft.com/devicelogin and enter a code they sent you. A login screen asks you to grant broad permissions (mail, files, profile) to an unfamiliar app. Pressure to act quickly, often framed as a security alert or urgent task from IT
What should I do first?
: Never enter a device code sent to you by someone else — legitimate flows originate from a device you own. Review Microsoft account permissions regularly at entra.microsoft.com and revoke unknown app consents. Enable MFA, use phishing resistant keys (FIDO2/Windows Hello), and report suspicious device login prompts to your
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.