Most people have learned to be skeptical of suspicious emails and fake login pages. If something looks unusual, they know to stop before entering their password. Unfortunately, cybercriminals are adapting.

The FBI recently issued a warning about a phishing campaign targeting Microsoft 365 users that works differently than traditional phishing attacks. Instead of trying to steal your password, attackers are taking advantage of a legitimate Microsoft sign-in process to gain access to business accounts.

That distinction is important because the Microsoft sign-in page itself may be completely legitimate. In many cases, there are no obvious warning signs that something is wrong.

For businesses that rely on Microsoft 365 every day, understanding how this attack works can help prevent a costly security incident.

How This Scam Works

The attack typically begins with an email or message that appears to come from a trusted source. It might reference a shared document, voicemail, invoice, or another routine business task. Instead of asking you to enter your password, the message directs you to a real Microsoft verification page and asks you to enter a device code or approve a sign-in request.

Because the page is hosted by Microsoft, it looks exactly like it should. Your browser won’t warn you. Your password manager may even recognize the website as legitimate.

The problem isn’t the website. The problem is that the login request was initiated by someone else.

When you enter the code or approve the request, you’re unknowingly authorizing the attacker’s device to access your Microsoft 365 account. Unlike many phishing attacks, the attacker never needs your password.

Why This Attack Is Different

Most cybersecurity awareness training teaches employees to look for fake websites, misspelled domain names, or suspicious email addresses. Those are still important warning signs, but this attack doesn’t depend on any of them.

Instead, it abuses a legitimate Microsoft feature designed to help users sign in on devices that don’t have a keyboard, such as smart TVs or conference room equipment. Cybercriminals have found a way to misuse that process by convincing someone else to complete the sign-in on their behalf.

Because the authentication happens through Microsoft’s own systems, it can even bypass multi-factor authentication (MFA). The user unknowingly completes the authentication process for the attacker. That’s why this scam has received so much attention from security professionals and the FBI.

What Could an Attacker Access?

For many businesses, a Microsoft 365 account is much more than email. Depending on the user’s permissions, an attacker could potentially access:

  • Outlook email
  • Microsoft Teams conversations
  • OneDrive files
  • Shared documents
  • Calendars
  • Contact information

From there, they may attempt to impersonate employees, send convincing emails to coworkers or customers, or look for additional opportunities to move through the organization. One compromised account can quickly become a much larger problem.

The Best Defense Is Still Awareness

The good news is that this attack can often be stopped with one simple habit. Trust, but verify.

Before entering a Microsoft device code, approving an MFA prompt, scanning a QR code, or clicking a sign-in link, pause for a moment and ask yourself:

  • Did I start this login?
  • Was I expecting this request?
  • Do I know why I’m being asked to do this?
  • Is this request coming from someone I trust?

If the answer to any of those questions is no, don’t continue until you’ve verified the request. Taking just a few extra seconds can prevent unauthorized access to your account and your organization’s data.

What Businesses Should Do

While employees play an important role, protecting against attacks like this isn’t solely their responsibility. Business leaders should make sure their teams understand that legitimate-looking sign-in requests can still be part of a phishing attack. Regular security awareness training should include examples like this so employees know what to watch for.

It’s also a good idea to review your Microsoft 365 security settings with your IT provider. The FBI recommends evaluating whether your organization needs device code authentication and restricting it where appropriate.

Security tools are important, but informed users remain one of the strongest defenses against phishing.

Final Thoughts

Cybercriminals are constantly changing their tactics. Rather than building fake websites that are easier to spot, they’re increasingly finding ways to misuse legitimate services that people already trust. That’s why awareness matters.

The next time you’re asked to enter a Microsoft device code or approve an unexpected sign-in request, remember one simple rule:

The page may be real. The request may not be.

If something doesn’t feel right, stop and verify before moving forward.