Microsoft Login Scam stealing accounts: All you need to know

A new Microsoft login scam has emerged, and it reportedly has nothing to do with stealing passwords. All it does is exploit a legitimate authentication feature to turn a user facility into a powerful social engineering weapon.

This technique is known as device code phishing. It tricks Microsoft's device authorisation flow, commonly called device code login. By generating a code to enter on another device, this allows hackers to sign in on devices that can't display a full authentication page.

How to protect against Microsoft login scam

To protect against the Microsoft login scam, users must understand device code login. These codes are only sent when you initiate a login on another device. Microsoft never randomly sends a security code.

Other essential safeguards to stay safe include avoiding entering codes from emails/messages, treating unexpected prompts as suspicious, denying uninitiated MFA requests, and reviewing account activity.

How Microsoft login scam works?

The key behind the Microsoft login scam lies in the assumption that the person entering the code initiated the login. Attackers can start a session on their own device, generate a valid code, and send it to the victim. Users perceive the message as a security alert or urgent Microsoft 365 notification urging them to visit the official login page and enter the code to "secure" their account.

It is important to note that the link seems legitimate, which makes the process seemingly genuine. In this situation, traditional phishing red flags are absent.

Device code phishing bypasses imitation entirely, and the attack succeeds because the inherent security functions correctly, but in reverse. 

After authentication, Microsoft issues an access token which grants the attacker account access.