ΠMost online scams still revolve around one main goal: stealing your password. We've been trained to watch out for fake login pages, suspicious links, and urgent emails asking us to “confirm” credentials for the account.
But a new wave of such attacks targeting Microsoft works differently. Victims log in to the real Microsoft website, use real security checks, and even successfully complete multi-factor authentication (MFA) — and yet attackers gain access.
This technique, known as device-code phishing, doesn't steal your password at all. Instead, it tricks you into granting access, using Microsoft's authentication system exactly as it was designed.
Microsoft, like other big tech companies, supports a feature called the “device authorization flow” (device authorization flow), also known as device code login. Simply put, this is the moment when, instead of a full login page, your device is prompted with a matching code that you must enter to complete the sign-in process.
This is extremely convenient, especially for devices that can't easily display a full login page or when you're connected to device with limited use. For example, you might encounter this on your smart TV or when making a call from your hotel room TV — both are typical examples. Most of the time, this process is completely safe and there is nothing dangerous about it. But all of this changes when it comes to specific abuse.
Access via device code is incredibly useful. However, it can be exploited because the login process inherently assumes that the person entering the code initiated the request. This is a security vulnerability.
If an attacker knows your email address or other known contact information, they can initiate a login request from their own device, starting a unique session. Then Microsoft (and other technology companies) generate legitimate device code associated with that session.
This is where it gets complicated. Instead of trying to use it yourself, the attacker may send the code directly to you, disguised as another process, using known phishing tactics:
A security alert claiming suspicious activity;
A Microsoft 365 emergency;
A Teams message or a message from IT support;
A business or other email requests.
The request instructs you to visit the official Microsoft login page and enter the provided code to “protect“ or “verify“ your account. This is the next stage of the exploit. You are not visiting a fake login page or a cleverly designed phishing portal: this is the real Microsoft page and the authentication checks are genuine.
You enter the login code into your device as usual, approve the request, and think you have secured your account. But in fact, you have authenticated the attacker, handing over the keys to your account in the process. ΠThroughout this entire process, your password is not revealed to anyone, but you are directly handing over your account.
Source: kaldata.com