Multi-factor authentication is not the complete protection against account takeover that many businesses believe it to be. Device-code phishing is a real and growing attack technique that bypasses MFA entirely, and it is already being used against UK businesses right now.
If you are using Microsoft 365 and have not specifically addressed this vulnerability in your security setup, your accounts could be at risk even if every member of staff has MFA enabled.
According to the UK Government’s Cyber Security Breaches Survey 2025, phishing remains the most common form of cyberattack against businesses, cited by 84% of UK businesses that identified a breach. The difference today is that attackers are using more sophisticated methods, and many standard defences are struggling to keep up.
If your business works with managed IT support services London businesses depend on, your provider should be across this threat already. But if you are not sure, read on.
What Is Device-Code Phishing?
Device-code phishing exploits a legitimate part of the Microsoft authentication system. It uses what Microsoft calls the “device authorisation grant flow,” a process designed to let devices without a full browser, such as smart TVs, printers and certain IoT hardware, authenticate with Microsoft 365.
The flow works like this: the device displays a short code on screen and asks the user to visit a Microsoft URL on a separate device to approve the sign-in. Attackers abuse this by initiating the flow themselves, generating a valid device code, and then sending it to their target.
The message might arrive by email, by Teams message, or even by SMS. It often looks like a routine IT notification or a software activation request. If the target enters the code at the legitimate Microsoft website, they hand the attacker a valid authentication token, giving them full access to their Microsoft 365 account, including email, Teams, SharePoint and OneDrive.
There is no fake website involved. There is no misspelled URL to hover over. The page the victim visits is genuinely Microsoft’s own authentication page. This makes it far harder to detect than the threats covered in a standard introduction to anti-phishing basics.
Why Standard MFA Does Not Stop This Attack
Standard MFA requires something you know (usually a password) and something you have (a code from an authenticator app, an SMS, or a push notification). The assumption is that even if an attacker has your password, they cannot get through without the second factor.
Device-code phishing sidesteps this entirely. The attacker does not need your password. They use Microsoft’s own authentication infrastructure to trick the target into authorising a session. The MFA step is completed by the victim, entirely legitimately, as far as Microsoft’s servers are concerned.
This is why businesses that have deployed standard MFA and consider themselves protected are still vulnerable. As we explain in our guide to anti-phishing controls, MFA is a vital baseline but it is not a complete answer on its own.
For organisations that have recently used platform migration services to move to Microsoft 365, there is an added risk. Staff still adjusting to new authentication prompts may be quicker to approve requests without fully reading what they are authorising.
How Attackers Target UK Organisations
These attacks are often targeted rather than speculative. Attackers research companies, identify staff names from LinkedIn or company websites, and craft messages that feel tailored and credible.
In some campaigns, attackers use previously compromised Microsoft Teams accounts from other organisations to send the device code, adding a significant layer of legitimacy to the approach. Given how widely Teams is used as a primary communication tool in London businesses, this social engineering angle is particularly effective.
The National Cyber Security Centre has previously flagged MFA bypass techniques as a growing concern for UK organisations, and device-code phishing fits squarely within that category.
If your business has previously been affected by a breach or data exposure, attackers may already hold enough information to make their approach very convincing. Understanding what to do if your company credentials appear on the dark web is essential if you have not yet addressed this. Pairing that knowledge with a dark web monitoring company that actively watches for your exposed credentials gives you early warning before attackers can act.
You can read our post on dark web monitoring explained to understand exactly how the process works, and our comparison of dark web monitoring vs breach monitoring to see how the two differ in practice.
MFA Methods and Phishing Resistance: At a Glance
| MFA Method | Phishing Resistant | Stops Device-Code Phishing | Commonly Deployed |
|---|---|---|---|
| SMS one-time code | No | No | Yes |
| Authenticator app (TOTP) | No | No | Yes |
| Push notification approval | No | No | Yes |
| FIDO2 / hardware security key | Yes | Yes | Rare |
| Passkeys | Yes | Yes | Rare |
| Certificate-based authentication | Yes | Yes | Rare |
| Windows Hello for Business | Yes | Yes | Moderate |
The table shows a clear gap between what most businesses have deployed and what actually protects them. If your organisation is using any of the top three options as its primary MFA method, it is not protected against device-code phishing.
Practical Steps to Reduce Your Risk
Disable the device code authentication flow
If your organisation does not use devices that require the device authorisation grant flow, you can disable it through Azure Active Directory conditional access policies. This removes the attack surface entirely. Your microsoft 365 support services london provider can configure this and check that the change does not affect any legitimate workflows.
Switch to phishing-resistant MFA
FIDO2 hardware security keys, passkeys, and certificate-based authentication are resistant to device-code phishing because they bind authentication to a specific device and origin. Standard authenticator app codes offer no such protection.
Our guide to password best practices covers broader authentication principles, but if you want your Microsoft 365 environment to be genuinely hardened, upgrading your MFA method is the single most important step.
Use Microsoft Intune for device management
Managing which devices can authenticate to your environment limits an attacker’s options significantly. Conditional access policies that require compliant, managed devices before granting Microsoft 365 access add a powerful extra layer of control. Our post on why businesses should consider Microsoft Intune explains how it works and what it protects against.
Run phishing simulations that include this scenario
Most phishing simulation programmes focus on email-based attacks. Very few simulate Teams-based social engineering or device-code requests. Working with an anti phishing company that can build scenarios specific to your environment will tell you whether your staff would fall for this. Our post on how to run phishing simulations explains how a well-structured programme should work and what results to measure.
Build a formal anti-phishing policy
Your technical controls are only as strong as the processes that support them. If your business does not yet have a clear process for staff to follow when they receive suspicious requests, our guide on how to create an anti-phishing policy is a practical starting point.
Train staff to question unexpected authentication requests
Your team should know that no legitimate IT process will send them an unexpected code and ask them to enter it somewhere. If they receive any such message, the right response is to report it to IT and take no further action. Our advice on how to spot a phishing email is a useful resource for team awareness sessions.
Monitor audit logs and sign-in activity
Even with strong controls in place, monitoring remains essential. Unusual sign-in locations, unexpected data downloads, or new inbox rules can all indicate a compromised account. Our post on endpoint hardening steps that reduce real-world attacks explains how a layered monitoring approach catches the threats that controls alone might miss. Combining this with robust endpoint security for remote teams ensures that the devices connecting to your environment are secure, not just the accounts.
Keep your Microsoft 365 backups current
If an attacker gets in, they may delete emails, alter files, or attempt to lock you out. A reliable Microsoft 365 backup strategy means you can restore data quickly and get back to normal. Microsoft’s own retention policies are not a substitute for a proper third-party backup.
The Wider Security Picture
Device-code phishing is one technique among many. Attackers also rely on business email compromise, credential stuffing, and malware delivered via attachments. A robust defence requires layers, not a single tool.
Understanding EDR vs antivirus vs XDR helps you decide which endpoint protection tools belong in your security stack, and our post on why EDR matters more than ever explains why traditional antivirus alone is no longer sufficient.
It is also worth reviewing common network vulnerabilities and how to fix them, reading our comparison of penetration testing vs vulnerability scanning to decide which assessment fits your situation, and checking whether your organisation meets the requirements for Cyber Essentials accreditation.
For businesses with European offices, working with a provider that understands european it services requirements ensures your security posture is consistent across borders. And if you operate across multiple countries, a provider offering multinational it support services can roll out unified security policies across all your locations.
If you have not yet had a formal review of your Microsoft 365 configuration, our guide on what is an Office 365 assessment explains what a proper review involves and what it should cover.
For businesses that have asked does my business really need to worry about cybersecurity, the short answer in today’s environment is yes. Our post on the benefits of outsourcing your IT to an MSP explains how bringing in specialist support gives you access to this level of expertise without building it entirely in-house.
You can also read more broadly on the importance of secure IT defences against cyber criminals to see how device-code phishing fits into the wider threat landscape.
Our security services cover the full range of protections your business needs, and our network penetration testing service can identify weaknesses in your Microsoft 365 configuration before attackers do.
Frequently Asked Questions
Does enabling MFA mean my Microsoft 365 accounts are fully protected?
Not entirely. MFA significantly reduces the risk of standard password-based attacks, but device-code phishing can bypass it. Moving to phishing-resistant MFA such as FIDO2 keys or passkeys provides much stronger protection and should be the goal for any business serious about account security.
What does a device-code phishing message actually look like?
It typically arrives as an email or Teams message containing a Microsoft device code and a link to Microsoft’s authentication page. It may claim to be from IT support or an internal system. Because the page the victim visits is genuinely Microsoft’s own, it does not trigger the usual phishing warning signs that staff are trained to look for.
Can our IT team disable device-code authentication in Microsoft 365?
Yes. Through Azure Active Directory conditional access policies, you can restrict or block the device authorisation grant flow for your users. A qualified Microsoft 365 support provider can implement this without disrupting legitimate workflows.
Is this type of attack common in the UK?
It is increasingly so. The technique has been used in campaigns targeting UK professional services firms, financial businesses and healthcare organisations. The NCSC has flagged MFA bypass techniques as a growing concern for UK organisations, and awareness of this specific method is still low among many businesses.
What should we do if we think an account has already been compromised?
Act quickly. Reset the account credentials, revoke all active sessions in Azure Active Directory, review audit logs for unusual activity, and check for inbox rules or forwarding settings the attacker may have added. Then contact your IT support team or security provider to carry out a thorough investigation.
Strengthen Your Microsoft 365 Security Today
If you are not certain your current MFA setup protects you against device-code phishing, now is the time to find out. Northern Star can review your Microsoft 365 configuration, move you to phishing-resistant authentication, and put the monitoring in place to catch threats before they cause damage.
Get in touch with our team or call us on 0800 319 6032 to arrange a no-obligation conversation about your current security setup. You can also visit our Why Us page to learn more about how we support London businesses like yours.
