A recent wave of phishing attacks has turned one of Microsoft’s own authentication features into a powerful weapon. Unlike traditional scams that rely on fake login pages, this new method, known as device code phishing, uses the real Microsoft login page, making it much harder for users to spot.
What’s happening?
In May 2026, the FBI issued a warning about a phishing‑as‑a‑service platform called Kali365, which is actively targeting Microsoft 365 users. Instead of stealing passwords, attackers trick victims into granting access themselves by abusing Microsoft’s device code authentication flow.
This feature is normally used to allow devices like smart TVs or printers, that can’t easily display a login screen, to authenticate via another device using a short code at Microsoft's device code login portal.
How the scam works
The attack typically unfolds like this:
- Phishing lure: The victim receives an email disguised as a trusted service (e.g. document sharing or IT notification).
- Device code provided: The message includes a short “verification code” and instructions to go to Microsoft’s real login page.
- User complies: The victim visits the legitimate Microsoft site and enters the code, often completing MFA as usual.
- Access granted: Behind the scenes, that code links the session to the attacker’s device, giving them access tokens for the account.
At no point does the victim enter credentials into a fake site, which is exactly why this attack is so effective.
Why it’s so dangerous
This technique is a major shift from traditional phishing:
- No password theft required: Attackers steal OAuth tokens instead of credentials.
- MFA can be bypassed: The victim completes MFA themselves, effectively approving the attacker’s login.
- Persistent access: Tokens can allow ongoing access to Outlook, Teams, OneDrive, and more, even after a password change.
- Looks legitimate: Users interact with a real Microsoft page, not a spoofed one.
Security researchers have observed this tactic scaling rapidly, with campaigns hitting hundreds of organisations and evolving into automated, AI‑assisted operations.
A growing trend
Device code phishing isn’t entirely new, but it has surged in 2026 thanks to phishing‑as‑a‑service platforms like Kali365, which package everything attackers need: templates, lures, and token‑stealing infrastructure.
This “industrialisation” of phishing means even low‑skill attackers can launch sophisticated campaigns that were once the domain of advanced threat groups.
How to stay safe
A few practical takeaways can dramatically reduce risk:
- Never enter a device code unless you initiated the login.
- Treat unexpected “verification code” requests with suspicion, even if they point to a real Microsoft URL.
- Watch for emails urging urgent action or pretending to be IT support.
- For organisations: consider restricting or monitoring device code authentication flows.
Final thoughts
Device code phishing underscores a growing reality in cybersecurity: attackers don’t always need to break into systems; they can simply manipulate users into using legitimate tools at the wrong moment.
As authentication methods become more sophisticated, so do the tactics that exploit them. In this case, the most telling warning sign is also the most deceptive: everything appears entirely legitimate.
Need help with your IT? TechMan provides friendly, expert IT support for homes and small businesses across the Kāpiti Coast, Wellington and Levin.
Get in Touch →