Hundreds of orgs compromised daily in Microsoft device code phishing attacks Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data. "Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching …
For a moment I thought you were talking about the 15 minutes they give you to approve the request, then I realized you're probably talking about your line of business in-house applications expiring.
Yeah, people need to realize that unless and until the web pages can detect and report desktop activity (i.e the user has not wandered away), timing out after short intervals is just painfully BAD DESIGN! Only secure data access requests should require re-authentication during the user's workday, stuff like changing passwords, adding users, or changing the security group configurations for the system. Day to day operations like accounting data entry should just stay live on the user's desktop.
In theory, at least, if their desktop is active, they should be working on whatever their daily routine is, unless they've clocked out for a coffee/smoke/reefer break (welcome to Canada, eh!), or gone for lunch.
> very long and frequently changing password
Used to hate that one the Broadcom "portal" (yeah I know but it is what £WORK insisted on using) where the password would seemingly randomly expire and you had to request an email to get a link to reset it. No your password expires in X days do you want to reset it, just nuked from orbit.
Thankfully retired now and recovering from the experience.
So so true. One test system I work with boots me out 20 minutes after I log in. What's bad is it doesn't reset the logout timer when actively using it, and it doesn't tell you you're logged out. I'll be actively entering commands when it'll just stop responding. It'll continue to look like it's working, it'll accept commands on its screen, but it just... stops responding. Worst of all, it's not an instant response system. Sometimes commands take a minute or two to execute and report, so there I am waiting on something to execute and I'm not even logged in.
If ~WORKPLACE is anything to go by, people treating it by rote is definitely the case. I can log into the MS account on my work PC without 2FA, but everything else will require it at what appears to be within 48 hour intervals (and sometimes more often if something in the background borks and resets stuff).
Added fun is that although OneDrive and Windows can normally use the same token, Teams and Outlook apparently can't or won't share and insist you do the login + authenticate separately.
This can lead to a small pile of repeated authenications. Accessing everything I need can sometimes involve doing the authenticator entry four or more times after logging in of a morning. It's frequent and annoying enough that most people appear to do it without a second thought.
> although OneDrive and Windows can normally use the same token, Teams and Outlook apparently can't or won't share
Yes they do. I login once a week with MFA to Windows or Teams and that covers me for all MS apps.
Either something is wrong with yout tennant or someone in your IT dept. set it up that way.
I suppose at some point they will consider allowing Azure stack hci (the premium hypervisor they want to push as a replacement for plain old Hyper-V clustering) to use real authentication to onboard then, not device flow?
Nah... Why do that when you can just blame others?
Plaintext email has no links to click or code to execute.
A point that was made repeatedly by numerous people back in the 1990s when the HTML email stupidity first came into use. Proving only that it's remarkably hard to discourage a bad idea when said idea is new and shiny.
There are two problems with the complaints about HTML email. One is that they do claim HTML to be to blame for a malicious URI, as in this case. There is no script in that mail. There's a link to a place people shouldn't go.
The second is what you've implied. Try sending some JavaScript in email and see how many people who receive it have it executed. I don't doubt that some mail client exists that does execute that, but nothing normal, client or webmail, does. That's not new. HTML email has been static but formatted for most of the time HTML in email has been supported. People who pretend it has powers it does not aren't making a convincing argument; the argument should be "no JS in email" instead of "no HTML in email", and the valid argument would end up a rather short one as it's already been won.
I can see your confusion as they use the those an an example of the Auth methods used to get access to them, whilst it would seem that Microsoft 365 applications can also have a similar mechanism where a web page gives you a code to enter to get access.
Not 100% sure if I am right as I don't use any Micro$lop 365 applications
Microsoft account
Your Microsoft Authenticator App Will expire soon
Your organization requires you to update your Authenticator App. Your current Authenticator will expire in 48 hours.
What happens if I don't update? You will be unable to sign in to your email, OneDrive, Teams, and other Microsoft 365 services until your authenticator app is updated.
Click the button below to verify your identity and set a new Code for your Authenticator app.
Update Authenticator App
This is an automated message from your organization's identity platform.
© 2026 Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
Link goes to https://admin.portalunimed.com.br/c/blogs/find_entry?p_l_id=%200&noSuchEntryRedirect=https://crosfot00346.s3.us-east-1.amazonaws.com/newerauthh90
YMMV
AAC
It is total insanity to have an email account use the same login to thing unrelated to email and then train the used to need to login to that account 5 times a day, with login regularly failing too.
The result is that when the used receives an email about a "secure document" from a trusted customer (that is used by Microsoft and thus had their email hijacked a day or so before) and they see another microsoft login prompt, they automatically enter the stupid account details and then "document access" proceeds to "fail", as it regularly does, they don't think twice about it beyond sending an email back about not being able to access the file and carry on.
The process continues with all the customers of that business - many of the customers that are businesses that are used by Microsoft then have their email hijacked as well.
The only hope such businesses have is that the attackers are mostly incompetent and are doing everything via LLM prompt and seem to only have the goal of continued hijacking and sending out invoices with their bank details for profit - thus revoking all the login tokens and setting a new password ends the attack (although much worse things can be done if a prompt to save all the emails to disk is worked out, as a lot of passwords to bank accounts etc do get sent via email).
Businesses that aren't totally incompetent and don't use outlook or other Microsoft software and instead have normal email and have a SMTP+IMAP username/password that is inserted into the email client by the admin (which will never be logged out or reset unless the device is compromised, as there is no reason to reset the password otherwise), will never have that problem by design.
I read through the article at least two times before I understood how this would look to an intended victim. In future, please include a description of what the end user or victim sees so I can explain in simple terms what a potential victim should watch for and what red flags they may see. Thanks
