When MFA Isn't Enough: The New Microsoft 365 Account-Takeover Attack You Need to Know About
A new attack technique called EvilTokens has compromised hundreds of Microsoft 365 accounts since February 2026 — and the victims all had multi-factor authentication enabled. Here's what device-code phishing is, why it defeats traditional security training, and what we're doing to protect our customers.
If your team relies on Microsoft 365 — and almost every business does — there’s a new attack technique you should know about. It’s called device-code phishing, and it has compromised more than 340 organizations across the United States, Canada, Australia, New Zealand, and Germany since February 2026. Microsoft is now observing 10 to 15 distinct phishing campaigns launched every single day.
Here’s what makes it different from anything you’ve seen before: the people who fell for it had multi-factor authentication enabled. They completed it correctly. They were compromised anyway.
This article explains how the attack works, why most existing defenses don’t catch it, and what we’re doing to protect our managed customers.
How the Attack Works, in Plain English
Microsoft 365 has a sign-in feature originally designed for devices that don’t have a keyboard — things like smart TVs, conference room hardware, and certain printers. The way it works is straightforward: the device shows a short code on its screen, and you go to a Microsoft web page and enter that code to grant the device access to your account.
It’s a legitimate, useful Microsoft feature. Attackers have figured out how to weaponize it.
The attack chain looks like this:
-
You receive an email that looks like a shared SharePoint document, an invoice, a voicemail notification, or a request for proposal. It’s well-written and addressed to you by name. It came through a legitimate-looking link rewriter, so your spam filter passed it through.
-
You click the link. It takes you through a short series of redirects to a page that says something like “Your secure document is ready — sign in with Microsoft to view it.” The page tells you it has copied a sign-in code to your clipboard for convenience.
-
You click “Continue,” which sends you to the real Microsoft sign-in page at
microsoft.com/devicelogin. Genuine Microsoft URL. Genuine Microsoft logo. Genuine Microsoft TLS certificate. Everything looks correct because it is correct. -
You sign in. Your password works. Your password manager autofills (because it’s the real Microsoft site). Your MFA prompt comes through on your phone — number-matching, the kind you trust. You approve it.
-
Microsoft says “You’re signed in. You can close this window.” And it’s true. You authenticated successfully.
Behind the scenes, an attacker just received a valid session for your account. That session can remain active for up to 90 days. They can read your email, set up hidden forwarding rules to intercept future messages, and start preparing wire-fraud or invoice-redirection scams using your real account.
The document never opens. You shrug, close the page, and move on. Nothing seems wrong because, from your perspective, nothing was.
Why Traditional Anti-Phishing Advice Doesn’t Help Here
Most cybersecurity training teaches users to spot specific warning signs. Almost every one of them fails for this attack:
| What we’ve all been taught | Why it doesn’t catch this attack |
|---|---|
| ”Check the URL before signing in” | The URL is genuine Microsoft |
| ”Look for the green padlock” | The certificate is genuine Microsoft |
| ”Don’t enter your password on suspicious sites” | You’re entering it on Microsoft itself |
| ”Watch out for fake MFA prompts” | The MFA prompt is real, sent by Microsoft |
| ”Use a password manager — it won’t autofill on fake sites” | The password manager autofills correctly because the site is real |
| ”Watch for typos and bad grammar” | The lures are written by AI and read flawlessly |
This isn’t a failure of awareness. It’s a structurally different kind of attack — one designed specifically to defeat the warnings users have been trained to look for. It’s a stark reminder that employees can unknowingly put your business’s data at risk even when they’re following every best practice they’ve been taught.
How Likely Is It to Affect Your Business?
Cybercriminals have packaged this attack into a service that’s sold to less-technical operators on private channels — the same way mass-market phishing has worked for years. The criminals don’t have to be sophisticated; they rent the tooling and pay-per-use.
In a single four-week window in early 2026, security researchers measured more than 7 million of these attacks. The kit operators have over 1,000 phishing domains in active rotation. Lures are personalized using artificial intelligence based on publicly available information — your LinkedIn profile, your company website, your industry — to create messages that feel relevant and urgent.
Small and mid-sized businesses are not too small to be targeted. The attackers don’t pre-screen victims; they cast a wide net and follow up on whoever takes the bait. The end goal is usually wire fraud or vendor-payment redirection — both of which can hit a business of any size hard, often for six-figure losses before anyone notices the breach.
If you’ve wondered whether your business’s technology protects or exposes your data, this is exactly the kind of question that has a real answer — and the answer depends on what’s been configured in your Microsoft 365 environment.
What You Can Do Today
Three things help right away, even before working with a managed-services provider:
-
Be cautious of any “sign-in code” you receive in an email or chat. A legitimate Microsoft sign-in code never arrives by email. It appears on the device you are physically setting up. If you didn’t initiate a device sign-in yourself, don’t enter the code — anywhere.
-
If something feels off, stop and ask. You will not get in trouble for reporting a suspicious email that turns out to be benign. You will create a serious problem if you complete a sign-in flow you weren’t expecting and don’t tell anyone. Speed matters: the difference between reporting a compromise in five minutes versus five hours can be the difference between one compromised user and a company-wide breach.
-
Talk to your IT team or managed-services provider about whether your Microsoft 365 environment has policy controls in place that block this specific attack. There is a Microsoft policy that, when properly configured, makes the entire attack technically impossible. It is free with most Microsoft 365 licensing. Whether it’s deployed in your environment is a question your IT lead should be able to answer in minutes.
What Southeastern Technical Is Doing for Our Managed Customers
We started taking this seriously in February when the attack pattern first surfaced publicly. Our response is layered, because no single control catches every variant of this attack — a principle we’ve written about before in our piece on a layered cyber defense that works for small business.
Prevention layer. We are deploying Microsoft 365 policy controls across every customer environment we administer. These policies block the specific attack flow by default. We exclude only the specific hardware that legitimately needs it (conference room systems, certain printers) and we document each exception. Once enforced, the attack cannot complete — even if a user falls for the lure.
Detection layer. Our endpoint and identity protection platforms watch for the specific behaviors attackers use after a successful compromise: unusual device registrations, programmatic token replay from known criminal infrastructure, unusual mailbox access patterns, and hidden inbox rules. If something slips past prevention, we catch it within minutes — not days.
Response layer. We have a documented incident response procedure specifically for this attack pattern. If we detect an account compromise — yours, your team’s, or any user we manage — we can disable the affected account, revoke all active sessions, and contain the damage in under five minutes.
Education layer. We’ve trained our own technicians on this attack specifically, because as a managed-services provider, our staff are themselves high-value targets. We’ve also produced customer-facing training materials we’re happy to share with your team.
We don’t believe in selling fear. The attack is real, but it’s also entirely manageable when the right controls are in place. Most of those controls are free, included with the Microsoft 365 licensing you already pay for. They simply need to be turned on, configured, and monitored — which is exactly what a good managed-services partner should be doing for you.
Need a Review?
If you’d like us to take a look at your Microsoft 365 environment and tell you honestly whether you’re protected against this attack, we’d be glad to. The review is straightforward: a member of our team takes a read-only look at your tenant’s policy configuration, gives you a one-page report on what’s already in place and what isn’t, and offers concrete next steps.
If you’re already a managed customer of ours, you don’t need to do anything — this work is already happening. If you’d like a status update on your specific environment, your account manager can have it for you within a business day.
If you’re not yet a customer and you’d like to talk, contact us for a free 30-minute conversation. No sales pitch — just a clear answer to whether your business is exposed.
Further Reading
For technical readers who want to dig deeper into the research behind this attack:
- Microsoft Security Blog: Inside an AI-enabled device code phishing campaign (April 2026)
- Huntress: EvilTokens — Big Cybercrime’s AI Platform Built to Bypass Your MFA
- Sekoia: EvilTokens kit: device code phishing as-a-service
- Barracuda Networks: Threat Spotlight — 7 million device code phishing attacks in 4 weeks
Southeastern Technical provides managed IT and cybersecurity services to businesses across the Southeast. We’ve been protecting our customers’ Microsoft 365 environments for over a decade. If you have questions about this article or want to discuss your own environment, reach out — we’re here to help.
When MFA Isn't Enough: The New Microsoft 365 Account-Takeover Attack You Need to Know About
A new attack technique called EvilTokens has compromised hundreds of Microsoft 365 accounts since February 2026 — and the victims all had multi-factor authentication enabled. Here's what device-code phishing is, why it defeats traditional security training, and what we're doing to protect our customers.
If your team relies on Microsoft 365 — and almost every business does — there’s a new attack technique you should know about. It’s called device-code phishing, and it has compromised more than 340 organizations across the United States, Canada, Australia, New Zealand, and Germany since February 2026. Microsoft is now observing 10 to 15 distinct phishing campaigns launched every single day.
Here’s what makes it different from anything you’ve seen before: the people who fell for it had multi-factor authentication enabled. They completed it correctly. They were compromised anyway.
This article explains how the attack works, why most existing defenses don’t catch it, and what we’re doing to protect our managed customers.
How the Attack Works, in Plain English
Microsoft 365 has a sign-in feature originally designed for devices that don’t have a keyboard — things like smart TVs, conference room hardware, and certain printers. The way it works is straightforward: the device shows a short code on its screen, and you go to a Microsoft web page and enter that code to grant the device access to your account.
It’s a legitimate, useful Microsoft feature. Attackers have figured out how to weaponize it.
The attack chain looks like this:
-
You receive an email that looks like a shared SharePoint document, an invoice, a voicemail notification, or a request for proposal. It’s well-written and addressed to you by name. It came through a legitimate-looking link rewriter, so your spam filter passed it through.
-
You click the link. It takes you through a short series of redirects to a page that says something like “Your secure document is ready — sign in with Microsoft to view it.” The page tells you it has copied a sign-in code to your clipboard for convenience.
-
You click “Continue,” which sends you to the real Microsoft sign-in page at
microsoft.com/devicelogin. Genuine Microsoft URL. Genuine Microsoft logo. Genuine Microsoft TLS certificate. Everything looks correct because it is correct. -
You sign in. Your password works. Your password manager autofills (because it’s the real Microsoft site). Your MFA prompt comes through on your phone — number-matching, the kind you trust. You approve it.
-
Microsoft says “You’re signed in. You can close this window.” And it’s true. You authenticated successfully.
Behind the scenes, an attacker just received a valid session for your account. That session can remain active for up to 90 days. They can read your email, set up hidden forwarding rules to intercept future messages, and start preparing wire-fraud or invoice-redirection scams using your real account.
The document never opens. You shrug, close the page, and move on. Nothing seems wrong because, from your perspective, nothing was.
Why Traditional Anti-Phishing Advice Doesn’t Help Here
Most cybersecurity training teaches users to spot specific warning signs. Almost every one of them fails for this attack:
| What we’ve all been taught | Why it doesn’t catch this attack |
|---|---|
| ”Check the URL before signing in” | The URL is genuine Microsoft |
| ”Look for the green padlock” | The certificate is genuine Microsoft |
| ”Don’t enter your password on suspicious sites” | You’re entering it on Microsoft itself |
| ”Watch out for fake MFA prompts” | The MFA prompt is real, sent by Microsoft |
| ”Use a password manager — it won’t autofill on fake sites” | The password manager autofills correctly because the site is real |
| ”Watch for typos and bad grammar” | The lures are written by AI and read flawlessly |
This isn’t a failure of awareness. It’s a structurally different kind of attack — one designed specifically to defeat the warnings users have been trained to look for. It’s a stark reminder that employees can unknowingly put your business’s data at risk even when they’re following every best practice they’ve been taught.
How Likely Is It to Affect Your Business?
Cybercriminals have packaged this attack into a service that’s sold to less-technical operators on private channels — the same way mass-market phishing has worked for years. The criminals don’t have to be sophisticated; they rent the tooling and pay-per-use.
In a single four-week window in early 2026, security researchers measured more than 7 million of these attacks. The kit operators have over 1,000 phishing domains in active rotation. Lures are personalized using artificial intelligence based on publicly available information — your LinkedIn profile, your company website, your industry — to create messages that feel relevant and urgent.
Small and mid-sized businesses are not too small to be targeted. The attackers don’t pre-screen victims; they cast a wide net and follow up on whoever takes the bait. The end goal is usually wire fraud or vendor-payment redirection — both of which can hit a business of any size hard, often for six-figure losses before anyone notices the breach.
If you’ve wondered whether your business’s technology protects or exposes your data, this is exactly the kind of question that has a real answer — and the answer depends on what’s been configured in your Microsoft 365 environment.
What You Can Do Today
Three things help right away, even before working with a managed-services provider:
-
Be cautious of any “sign-in code” you receive in an email or chat. A legitimate Microsoft sign-in code never arrives by email. It appears on the device you are physically setting up. If you didn’t initiate a device sign-in yourself, don’t enter the code — anywhere.
-
If something feels off, stop and ask. You will not get in trouble for reporting a suspicious email that turns out to be benign. You will create a serious problem if you complete a sign-in flow you weren’t expecting and don’t tell anyone. Speed matters: the difference between reporting a compromise in five minutes versus five hours can be the difference between one compromised user and a company-wide breach.
-
Talk to your IT team or managed-services provider about whether your Microsoft 365 environment has policy controls in place that block this specific attack. There is a Microsoft policy that, when properly configured, makes the entire attack technically impossible. It is free with most Microsoft 365 licensing. Whether it’s deployed in your environment is a question your IT lead should be able to answer in minutes.
What Southeastern Technical Is Doing for Our Managed Customers
We started taking this seriously in February when the attack pattern first surfaced publicly. Our response is layered, because no single control catches every variant of this attack — a principle we’ve written about before in our piece on a layered cyber defense that works for small business.
Prevention layer. We are deploying Microsoft 365 policy controls across every customer environment we administer. These policies block the specific attack flow by default. We exclude only the specific hardware that legitimately needs it (conference room systems, certain printers) and we document each exception. Once enforced, the attack cannot complete — even if a user falls for the lure.
Detection layer. Our endpoint and identity protection platforms watch for the specific behaviors attackers use after a successful compromise: unusual device registrations, programmatic token replay from known criminal infrastructure, unusual mailbox access patterns, and hidden inbox rules. If something slips past prevention, we catch it within minutes — not days.
Response layer. We have a documented incident response procedure specifically for this attack pattern. If we detect an account compromise — yours, your team’s, or any user we manage — we can disable the affected account, revoke all active sessions, and contain the damage in under five minutes.
Education layer. We’ve trained our own technicians on this attack specifically, because as a managed-services provider, our staff are themselves high-value targets. We’ve also produced customer-facing training materials we’re happy to share with your team.
We don’t believe in selling fear. The attack is real, but it’s also entirely manageable when the right controls are in place. Most of those controls are free, included with the Microsoft 365 licensing you already pay for. They simply need to be turned on, configured, and monitored — which is exactly what a good managed-services partner should be doing for you.
Need a Review?
If you’d like us to take a look at your Microsoft 365 environment and tell you honestly whether you’re protected against this attack, we’d be glad to. The review is straightforward: a member of our team takes a read-only look at your tenant’s policy configuration, gives you a one-page report on what’s already in place and what isn’t, and offers concrete next steps.
If you’re already a managed customer of ours, you don’t need to do anything — this work is already happening. If you’d like a status update on your specific environment, your account manager can have it for you within a business day.
If you’re not yet a customer and you’d like to talk, contact us for a free 30-minute conversation. No sales pitch — just a clear answer to whether your business is exposed.
Further Reading
For technical readers who want to dig deeper into the research behind this attack:
- Microsoft Security Blog: Inside an AI-enabled device code phishing campaign (April 2026)
- Huntress: EvilTokens — Big Cybercrime’s AI Platform Built to Bypass Your MFA
- Sekoia: EvilTokens kit: device code phishing as-a-service
- Barracuda Networks: Threat Spotlight — 7 million device code phishing attacks in 4 weeks
Southeastern Technical provides managed IT and cybersecurity services to businesses across the Southeast. We’ve been protecting our customers’ Microsoft 365 environments for over a decade. If you have questions about this article or want to discuss your own environment, reach out — we’re here to help.