Australia’s national cybersecurity agency says users of Microsoft 365 software should be wary of a "growing threat" from unexpected device code requests, as cybercriminals exploit legitimate Microsoft login pages to trick users into granting access to their accounts.
Australian Signals Directorate (ASD) issued the warning on Saturday and said it had “received a number of reports” of local Microsoft 365 users being targeted by an increasingly popular technique known as device code phishing.
The attack typically involves cybercriminals taking advantage of authentication systems which allow users to sign in to a device by entering a short code on another device which their account already trusts.
After asking an online service such as Microsoft 365 for a real device code, the attacker sends this code and its legitimate login website to their intended victim with an accompanying phishing lure such as a fake document request, invoice, or security alert.
If the intended victim enters the code on the legitimate login page, they may not be aware of anything suspicious – but they have unknowingly allowed the attacker’s device to gain access to their account through what are known as authentication tokens.
“The phishing activity doesn’t steal passwords or multifactor authentication (MFA) codes. Nor is it a technical flaw in Microsoft systems,” ASD said.
“Instead, users are deceived into approving access for a device or application controlled by a malicious cyber actor.”
ASD warned Australians should “avoid entering a Microsoft code to view something you weren’t expecting”, as what may appear to be a normal sign-in could be part of “a broader phishing campaign”.
This can often involve threat actors using their newfound account access to send phishing threats to other potential victims within the same organisation as their first victim, or even to steal emails or map an organisation’s internal structure.
Microsoft’s national security officer for Australia and New Zealand, Mark Anderson, told Information Age that “we echo ASD’s advice to consumers and organisations to remain vigilant”.
He said “social engineering attacks of this nature seek to exploit legitimate authentication processes opposed to platform vulnerabilities”.
A typical attack chain for device code phishing attacks. Image: Microsoft Defender Security Research Team
Device code phishing ‘exploding’ – partly thanks to AI
Cybersecurity firm Barracuda said in late April that it had already detected more than 7 million device code phishing attacks in the preceding four weeks.
Push Security also said in April that its researchers had recorded a 37.5x increase in device code phishing campaigns since the start of 2026, including a rise in so-called ‘kits’ for the technique being sold among hackers.
The most prominent kit, called EvilTokens, launched in February 2026 and is already powering “massive” Phishing-as-a-Service (PhaaS) campaigns, the researchers said.
Fellow cybersecurity company Proofpoint said last week that device code phishing is “exploding across the threat landscape, with new device code phishing tools emerging every week”.
It believes EvilTokens is created and maintained using code generated with artificial intelligence tools.
AI is also helping attackers execute these attacks, said researchers and ASD.
“A Microsoft device login code usually expires after 15 minutes, and in the past, phishing activities often failed if the victim was slow,” the agency said in its warning to Australians.
“However malicious cyber actors are now using automated systems and AI to request legitimate fresh codes at the exact moment a victim clicks, making the attack more reliable and far more likely to succeed.”
Microsoft’s latest research on code phishing, released in April, said its researchers had observed “a significant escalation in threat actor sophistication” through the use of “automation and dynamic code generation”.
Aside from bypassing the 15-minute expiration window for device codes, AI is also being used to generate “hyper-personalised lures” such as convincing fake invoices and emails designed to increase the likelihood of victims falling for the trap, researchers said.
While Microsoft is “much more heavily targeted at scale now than any other app”, Push Security said, “Any app that supports device code logins can be a target.”
“Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS,” the company added.
Examples of device code phishing landing pages luring potential victims with document access requests. Image: Proofpoint
'Security defences need to adapt quickly’
Anderson from Microsoft told Information Age that Australians "are not powerless when it comes to defending their data and systems”.
“We recommend everyone use where possible phishing-resistant multifactor authentication such as passkeys, and exercise extreme caution when they receive unexpected emails, links, attachments, or requests to enter verification codes,” he said.
Microsoft researchers said cybersecurity teams should be “blocking device code flow wherever possible”, and should “educate users about common phishing techniques” while also implementing technical security improvements.
Saravanan Mohankumar, a manager in the threat analysis team at Barracuda, said device code phishing has become “a dangerous and scalable threat” which requires attention.
“Security defences need to adapt quicky – layered security controls including advanced email filtering, identity protection mechanisms, and continuous monitoring can significantly limit exposure,” he said.
“Additionally, enforcing strict controls around device authorisation flows and raising awareness about entering verification codes only in trusted contexts can help prevent such attacks from succeeding.”
ASD warned Australians to “never approve a sign‑in you did not personally initiate”, and to “question urgent or unexpected requests involving documents, invoices, or security alerts”.
Organisations, it said, should “explore policy-based identity controls such as conditional access and anti-phishing policies”.
