Australia’s chief cyber intelligence agency, the Australian Signals Directorate, has warned Australians to beware of a phishing campaign targeting users of Microsoft 365.
“ASD has received a number of reports of device code phishing activity targeting Microsoft 365 users. This approach abuses a legitimate Microsoft sign‑in process,” the ASD warned in a 16 May social media post.
“The phishing activity doesn’t steal passwords or multifactor authentication (MFA) codes. Nor is it a technical flaw in Microsoft systems. Instead, users are deceived into approving access for a device or application controlled by a malicious cyber actor.”
The phishing attack begins with the threat actor initiating a Microsoft sign-in request posing as a legitimate device, which generates a link and code for the victim. The actor then takes this legitimate code and link, before sending it to the victim, often posing as either a document request, a collaboration invite, or a security alert.
This leads the victim to a real Microsoft website, where they enter the code and sign in with their usual credentials and MFA access.
At this stage, everything appears above board; however, what the victim has actually done is sign in the threat actor’s device. Microsoft authenticates the access regardless of who made the request.
One of Microsoft’s regular defences to such an attack is to allow device log-in codes to expire after 15 minutes, which, traditionally, has been enough to slow attackers down.
“However, malicious cyber actors are now using automated systems and AI to request legitimate fresh codes at the exact moment a victim clicks, making the attack more reliable and far more likely to succeed,” the ASD said.
According to the ASD, this technique illustrates a shift away from stealing credentials towards abusing user trust.
“Also, while indicators were observed, this activity intentionally blends in with legitimate enterprise cloud traffic,” the ASD said.
“Consequently, organisations should explore policy-based identity controls such as Conditional Access and anti-phishing policies.”
What is device code phishing?
Between 2020 and 2022, device code phishing was only rarely used by cyber criminals – it was mostly used by red teams.
However, in 2025, a suite of criminal device code phishing tools was distributed online. At the same time, the rise of vibe coding and easy access to AI resources has led to a sharp increase in its use.
According to cyber security firm Proofpoint, despite the use of AI and related coding tools, these attacks are not particularly sophisticated.
“In many cases, actors are exposing their infrastructure, usernames, email addresses, stolen information, or other sensitive details to the public, due to not properly securing AI-generated panels, HTML code, or infrastructure,” Proofpoint said.
“These OpSec failures have helped identify or otherwise classify the wave of new implementations. (We are not publicly sharing the details of these operational security failures, as we do not want to help criminals get better.)”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.