Share
MICROSOFT PHISHING

Microsoft device code phishing: the login-code scam that bypasses MFA

An FBI warning surfaced in early June 2026 about a Microsoft login-code scam that skips your password and even your second factor. The trick is unusual: the attacker gets you to type a short code into the real Microsoft sign-in page. You see a genuine microsoft.com address the whole time, which is exactly what makes it work. Here is the plain-English version for everyday Microsoft 365 and Outlook users.

SafeBrowz Team Security ResearchJune 6, 202610 min read

Bottom Line First

If anyone sends you a short Microsoft code and asks you to enter it at microsoft.com/devicelogin, stop. This is device code phishing. The attacker has already started a real Microsoft sign-in for their own device, which produced that code. When you enter it on the genuine Microsoft page and approve, you are not logging yourself in. You are approving the attacker's device. Microsoft then hands them a session token that works without your password and without your multi-factor prompt, because you passed the MFA check for them. A real device code only ever appears on a screen you are actively signing in to yourself, like a TV app, a console, or a command-line tool on a new machine. If you did not just start that sign-in, do not enter any code, no matter how official the email, Teams message, or page looks. If you already did, change your Microsoft password and revoke your active sessions now, then tell your IT or admin. The same do-not-approve instinct applies to MFA fatigue push spam and adversary-in-the-middle 2FA bypass.

Why this scam is getting attention now

In early June 2026, an FBI alert about this technique drew fresh coverage, including a write-up by Kiplinger on June 4. The warning is aimed at Microsoft 365 users, and it lands because device code phishing breaks the mental model most people rely on. We are all trained to check the address bar. If the page says microsoft.com, we relax. This attack weaponizes that exact reflex, because the page really is Microsoft.

The method is not brand new to defenders. Microsoft Threat Intelligence has documented device code phishing tied to a threat actor it tracks as Storm-2372, and the security firm Volexity has written about the same technique in the wild. Proofpoint and Cisco Talos have both published on the broader abuse of OAuth device-code sign-in flows. What is new in June 2026 is that the FBI is pushing the warning toward ordinary users, not just corporate security teams. Most of the existing coverage was written for IT departments. This post is the plain-English version for the person who just wants their Outlook and Teams to keep working.

What a device code actually is

Some devices cannot show a normal sign-in screen with a keyboard. Think of a smart TV app, a streaming box, a game console, or a command-line tool on a server. To log in to your Microsoft account on one of those, Microsoft uses a device authorization flow. The device shows you a short code, usually a handful of letters and numbers. You then go to another device you trust, like your phone or laptop, open microsoft.com/devicelogin, type that code, sign in normally, and approve. That links the code to your account, and the TV or console gets signed in.

That flow is legitimate and useful. The catch is that the page asking for the code does not know who started the sign-in. It only knows the code is valid. If an attacker starts the device flow, the code that gets generated belongs to the attacker's session. If they can get you to enter and approve that code, your approval authorizes their device.

How the attack works, step by step

Here is the sequence, in order, so it is clear where the trap is.

  1. The attacker starts a real Microsoft sign-in. Using the device authorization flow, they request a code for the account or organization they are targeting. Microsoft generates a genuine short code, valid for a few minutes.
  2. The attacker sends you the code with a believable reason. A fake "IT support" email, a Teams message that looks like it is from a colleague or helpdesk, or a lure page. The story is something like "we are migrating your account, please verify your device" or "set up secure access by entering this code." Some campaigns send you to a fake landing page first to set the scene before handing over the code.
  3. You go to the genuine Microsoft page and enter the code. The instructions point you to microsoft.com/devicelogin or login.microsoftonline.com/devicelogin, the real pages. You sign in with your real credentials and pass your real MFA prompt, because it is genuinely you signing in to Microsoft.
  4. You approve, and the attacker gets the session. Your approval completes the device flow that the attacker started. Microsoft issues an access token and a refresh token to the attacker's device. They now have a signed-in session to your account, and it skipped the password and MFA from their side because you did all of that for them.

That is the whole trick. There is no fake login page to spot, because the login page is real. The deception is entirely in the message that talked you into entering a code you never asked for.

What the lure looks like

The dangerous part of this scam, the code entry, happens on a genuine Microsoft page. So the thing to scrutinize is the message and any landing page that delivers it. The lure usually arrives as an email or Teams message dressed up as IT, with urgency and an air of routine maintenance. Some campaigns also park a fake "verify your device" or "IT support" page on a lookalike domain to make the request feel official before they hand you the code.

Those lure pages live on domains that are not Microsoft. They look like the kind of thing a corporate helpdesk might run, which is the point. Examples of the lookalike style, illustrative and not real Microsoft domains, include microsoft-device-verify.com, office365-securelogin.com, ms-teams-verify.com, and microsoft365-support.com. The genuine pages where a device code is ever entered are microsoft.com and login.microsoftonline.com, and you reach them by typing the address yourself, never by following a link a message handed you. The whole point of this attack is that the real Microsoft page is being used against you, so the lesson is not "watch the address bar." It is "never enter a code someone else gave you."

๐Ÿ›ก LIVE CHECK

Check that "verify your device" link first

Got an email or Teams message pointing you to a page about verifying your device or setting up secure access? Paste the link below before you click. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

Why it slips past MFA

Multi-factor authentication is meant to stop someone who has your password from logging in as you. It works by making you prove a second thing during sign-in: a code from an app, a tap on a push notification, a hardware key. Device code phishing does not try to defeat that. It lets you complete it, honestly, on the real Microsoft page, and then steals the result.

When you sign in and approve the device code, Microsoft is satisfied that the right person authorized the device, because you really did enter your password and clear your MFA. The token it issues to the attacker's device is a fully valid session. From Microsoft's side, nothing looks wrong. That is why this technique is dangerous even for people who have strong MFA turned on. The defense here is not a better second factor. It is the habit of never entering a code that arrived from someone else.

This is a cousin of adversary-in-the-middle attacks, which proxy your real login through a fake page to steal the session cookie, and of MFA fatigue, where attackers spam approval prompts hoping you tap "yes." Different mechanics, same goal: get a valid session without needing to crack your second factor.

Red flags that you are being set up

  • Someone sent you a code and told you where to enter it. This is the single biggest tell. A real device code appears on the device you are signing in to, not in a message from another person.
  • You did not just start a sign-in. If no TV app, console, or new tool is sitting there waiting for you to authorize it, there is no legitimate reason to enter a device code at all.
  • The request is wrapped in IT or helpdesk urgency. "Verify your device," "migrate your account," "set up secure access," "your access expires today." Routine-sounding maintenance plus a deadline is the standard pressure recipe.
  • It came through Teams or email from a sender you cannot fully verify. Display names are easy to fake. A message from "IT Support" or a colleague's account that you did not expect deserves a direct check through a known channel.
  • A lure page asks you to "confirm" before giving you a code. A legitimate Microsoft device sign-in never routes you through a third-party page first. If a non-Microsoft site is staging the request, it is the setup.
  • The code is time-pressured. Device codes expire in minutes by design, and attackers lean on that to rush you. "Enter it in the next two minutes" is a pressure tactic, not a courtesy.

What to do

  1. Never enter a device code that someone else sent you. This one rule stops the entire attack. A code you are meant to enter only ever appears on a screen you are actively signing in to yourself.
  2. If you did not start a sign-in, there is nothing to approve. No TV app, no console, no new device or CLI tool of yours waiting on a code means no legitimate device flow is happening. Close the message.
  3. Verify any "IT" or "helpdesk" request through a known channel. Do not reply to the message. Contact your IT team or admin using a number or address you already trust and ask whether the request is real.
  4. Do not paste links from the message. If a message points you to a page to "verify your device," check the link with a scanner first, or skip it entirely. Reach Microsoft by typing the address yourself.
  5. Report the message. Forward it to your IT or security team. In Outlook and Teams, use the built-in report-phishing option so Microsoft sees the campaign.

If you already entered a code

Move quickly. A device code attack hands the attacker a live session, so the priority is to cut that session off and lock the account.

  1. Change your Microsoft password immediately. Go directly to account.microsoft.com or your organization's sign-in page by typing the address yourself, not through any link in the message. Pick a password you have not used elsewhere.
  2. Revoke active sessions. In your Microsoft account security settings, sign out everywhere or revoke sessions. For a work or school account, your admin can revoke the refresh tokens in Entra ID, which kills the attacker's session even if they still hold a token.
  3. Tell your IT team or admin right now. They can check sign-in logs for the rogue device, revoke its tokens, and look for anything the attacker touched, like new inbox rules or mail forwarding. Speed matters here.
  4. Review account changes. Look for new forwarding rules, added security info, or app permissions you did not grant. Attackers often set these up to keep access after you reset the password.
  5. Confirm your MFA methods are still yours. Remove any authenticator or phone number you do not recognize from your security settings.
  6. Watch connected accounts. If your Microsoft account unlocks other services or you reused that password anywhere, reset those too.

How to report it

  • Report it to your IT or security team first. For a work or school Microsoft 365 account, they are the fastest path to revoking the attacker's session and checking for damage.
  • Use the report-phishing button in Outlook or Teams. This sends the lure to Microsoft so it can act on the campaign.
  • Report to the FBI Internet Crime Complaint Center at ic3.gov if you are in the US and lost access or money. The FBI's June 2026 warning came through this channel.
  • Report the scam to the FTC at reportfraud.ftc.gov so it feeds the consumer-protection data behind alerts like this one.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Microsoft included) plus homograph and Punycode checks, all running inside the extension before the page renders. It catches lookalike helpdesk and "verify your device" pages where a non-Microsoft domain serves Microsoft-styled branding to stage the lure.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag domains already known to be malicious, which covers many of the throwaway lure domains used in these campaigns as they get reported.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches brand-new lookalike pages in seconds, including a fake "IT support" page that copies Microsoft styling but sits on the wrong domain.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Where browser-layer defense fits

Be clear about one limit. Because the code is entered on a genuine Microsoft page, no scanner can flag that page, and it should not, the page is real. What a browser-layer scanner does catch is the staging step: the fake helpdesk or "verify your device" page on a lookalike domain that some campaigns use to set you up before handing over the code. When a Microsoft-styled page renders on a domain that is not microsoft.com, a brand-aware scanner flags the impersonation before you act on it. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon) that checks every URL before it renders against a 550+ brand database. Install SafeBrowz and pair it with the one rule that beats this attack outright: never enter a Microsoft code that someone else sent you. To get sharper at spotting the fake "IT" message in the first place, see how to verify an email is real in 2026 and our breakdown of how to spot a Microsoft phishing email.

Install SafeBrowz free

Add the browser extension that flags lookalike Microsoft and helpdesk pages automatically, on every page, before it renders. Free forever, with optional Premium AI deep scan at $14.99 per year.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

See pricing and Premium features

Frequently asked questions

What is Microsoft device code phishing?

It is a scam where an attacker starts a real Microsoft device sign-in, which produces a short code, then tricks you into entering that code on the genuine Microsoft device login page. When you sign in and approve, you authorize the attacker's device instead of your own. Microsoft issues them a valid session that works without your password and without prompting their device for MFA, because you cleared all of that on the real page for them.

How does this scam bypass multi-factor authentication?

It does not defeat MFA. It lets you complete it honestly on the real Microsoft page, then steals the result. When you enter your password and pass your MFA prompt to approve the device code, Microsoft trusts the sign-in and issues a session token to the attacker's device. The token is fully valid, so MFA never blocks the attacker, because you passed it for them.

Is microsoft.com/devicelogin a fake or scam page?

No. microsoft.com/devicelogin and login.microsoftonline.com/devicelogin are real Microsoft pages. That is exactly why this attack is so convincing, you are looking at a genuine Microsoft URL the whole time. The page is not the problem. The problem is being talked into entering a code that an attacker generated. Only enter a code that appeared on a device you are actively signing in to yourself.

When is it safe to enter a Microsoft device code?

Only when the code appeared on a screen you are actively signing in to yourself, like a smart TV app, a game console, or a command-line tool on a new device, and you started that sign-in. If a code arrived in an email, a Teams message, or from another person, do not enter it. A legitimate device code is never delivered to you by someone else.

I entered a code an email sent me. What do I do first?

Change your Microsoft password immediately by typing account.microsoft.com or your organization's sign-in page yourself, not through any link in the message. Then revoke your active sessions in account security settings and tell your IT team or admin right away so they can revoke the attacker's tokens in Entra ID and check for new inbox rules or forwarding. Review your MFA methods and remove anything you do not recognize.

Who is behind these attacks?

Microsoft Threat Intelligence has documented device code phishing tied to a threat actor it tracks as Storm-2372, and Volexity has reported the same technique in the wild. Proofpoint and Cisco Talos have written on the broader abuse of OAuth device-code sign-in flows. In early June 2026, an FBI warning brought the technique to wider public attention beyond corporate IT teams.

Related SafeBrowz coverage

Bottom line: Microsoft device code phishing works because the code lands on the real Microsoft page, so the usual "check the address bar" advice does not save you. One rule does. Never enter a Microsoft code that someone else sent you or asked you to enter. A real device code only ever shows up on a device you are signing in to yourself. If you slipped, change your password, revoke your sessions, and tell IT, then put SafeBrowz on your browser so the fake helpdesk page that sets the trap never loads cleanly in the first place.