New Phishing Scam Uses Microsoft’s Own Login Process to Steal Accounts

Cybercriminals are using a new phishing method that tricks people into giving them access to their Microsoft 365 accounts without stealing their password.

Instead of creating a fake Microsoft login page, the attackers take advantage of a real Microsoft feature that is normally used to sign in on devices like smart TVs, printers, and other devices that don’t have a keyboard.

Here’s how the scam works:

A victim receives an email that looks legitimate. It may claim that someone has shared a document, requested a payment, or invited them to collaborate on a file.

When the person clicks the link, they are asked to enter a short code on Microsoft’s real sign-in page. Because the page is genuine, many people assume everything is safe.

What they don’t realize is that the code was created by the attacker. By entering it, they unknowingly approve the hacker’s login request instead of their own.

At no point does the attacker need the victim’s password. Even accounts protected with multi-factor authentication (MFA) can be compromised because the victim is unknowingly approving the attack themselves.

Once inside the account, criminals can:

  • Read and steal emails.
  • Access files stored in OneDrive and SharePoint.
  • Send convincing phishing emails from the victim’s account.
  • Impersonate employees to request payments or sensitive information.
  • Maintain access for extended periods without the victim realizing it.

This method is becoming increasingly popular because it relies on Microsoft’s legitimate sign-in system rather than fake websites. That makes it much harder for users to recognize the attack.

Cybercriminals are also creating ready-made phishing platforms that allow even less experienced attackers to launch these campaigns. These services automate much of the process, making the attacks easier to carry out and more widespread.

How to Stay Safe

  • Never enter a login code unless you personally started the sign-in process.
  • Be cautious of unexpected emails asking you to open shared files, approve payments, or review documents.
  • If Microsoft asks you to enter a device code and you weren’t trying to sign in to a new device, stop immediately.
  • Verify unusual requests by contacting the sender through another trusted method.
  • Report suspicious emails to your IT or security team instead of interacting with them.

As phishing attacks continue to evolve, criminals are relying less on fake login pages and more on manipulating people into approving legitimate sign-in requests. Understanding how these scams work is one of the best ways to avoid becoming a victim.