Cybercrooks Now Stealing Tax Accounts Encrypted Chats

Hackers Just Got Smarter, Here’s How

Online scams aren’t going away; they’re just getting sneakier. The newest threat isn’t about stealing your password. It’s about getting you to hand over access without realizing it. This trick, called device code phishing, uses real login systems against you.

Instead of fake websites, this scam sends real-looking invites and asks you to enter a code. You think it’s safe because it’s a real Microsoft login page. But that code doesn’t connect your device; it connects theirs.

What Makes This Scam So Sneaky

Device code phishing works because it doesn’t look like a scam. It uses real tools from trusted companies, like Microsoft or Google, to make everything seem normal. There are no fake links, no sketchy websites, just an official-looking prompt and a request for a code.

By the time you realize something’s wrong, it’s too late. These attacks don’t require your password, so even people with strong logins or two-factor protection can fall for it. That’s what makes this method so dangerous; it hides in plain sight and blends in with your daily digital routine.

It All Starts With An Invite

These phishing scams often begin with an email or calendar invite that seems normal. Maybe it’s a meeting from your “IT team” or a message from a coworker asking you to join a video call. It looks routine, and that’s the trap.

When you click the link, you’re taken to a real Microsoft login page. You’re then asked to enter a device code, and you trust it because everything looks legit. But that code doesn’t log you into anything, it gives the hacker access instead.

Real Websites, Real Danger

In the past, phishing scams used fake websites with small spelling errors or weird-looking links. Now, attackers use real websites. That’s right, the same pages you log into every day are being used in these scams.

This makes it much harder to tell what’s real and what’s a trap. Because you’re using a real Microsoft login page, your browser doesn’t raise any red flags. Security tools also struggle to detect anything wrong. The danger isn’t in a fake website, it’s in how the site is used.

Device Codes, A Backdoor In Disguise

Device codes are meant to make logging in easier on smart TVs and other devices. But now, hackers are using them to trick people into giving away access. It feels like a secure step, but it’s a clever disguise.

When you enter the code, you’re not logging yourself in. You’re permitting the attacker’s session. The login page doesn’t ask for your password, which feels safe, but that’s what makes it risky.

Why Multi-Factor Authentication Isn’t Enough

Multi-factor authentication (MFA) enhances account security by requiring additional verification steps. However, in device code phishing attacks, the authentication process is manipulated through legitimate channels, allowing attackers to gain access without triggering MFA alerts. That’s because the scam doesn’t trigger the usual warning signs MFA looks for.

Instead of breaking in, the hacker waits for you to let them in. Since the login process happens through a trusted system, your account sees it as normal. MFA checks the session, not who’s actually on the other end.

Session Tokens, The Hidden Key

After the device code is entered, the attacker receives something called a session token. This token tells the system, “This user is verified, let them in.” No more logins, no extra checks, it’s a free pass.

These tokens are often long-lasting and allow hackers to stay logged in. That’s why these attacks are so powerful. Even if you change your password later, they may still be inside your account until that session ends. It’s like giving someone a spare key and forgetting they have it.

New Twist, Blob-Based Phishing

Another technique hackers employ involves ‘blob URIs’—browser-generated URLs that create temporary web pages within your browser. These pages are not hosted on external servers, making them challenging for security tools to detect. Nothing is downloaded, and no public site is used.

These blob pages look just like the real login screens you trust. But everything happens inside your browser window, making it harder for security tools to see what’s going on. You enter your info, and it’s sent straight to the attacker, without you ever knowing.

Why Security Software Can Miss The Signs

Many people rely on antivirus software and email filters to catch scams. But device code phishing and blob-based attacks often sneak right past them. That’s because the threats look normal on the surface.

Since real login pages and email addresses are used, nothing appears suspicious. The real damage happens only after a code is entered or a blob URI runs inside your browser. By that point, the scam has already worked.

The Role Of Social Engineering

Phishing isn’t just about technology, it’s about people. These scams work because attackers use social engineering to trick you into doing something you normally wouldn’t.

They pretend to be someone you trust, like a coworker or IT staff. They make you feel like you’re helping or following a routine task. And that’s exactly why people fall for it. The goal is to lower your guard, just long enough to make a mistake.

Recognizing Suspicious Invitations

Not every meeting invite is what it seems. If you get an email or message with a meeting link you didn’t expect, be cautious. Especially if it asks you to log in or enter a code right away.

Don’t click or type anything until you double-check with the sender. Use a separate channel, like texting them or calling their number directly. Hackers count on you trusting the invite. A few seconds of caution can stop the attack before it starts.

Don’t Share Or Enter Strange Codes

Device codes are meant for personal use. If you get a code in a message or email you didn’t request, don’t use it. Real services won’t send a random login code and ask you to enter it on a different page.

These codes act like keys. And giving someone a key to your house when you don’t know who they are is never a good idea. Only enter codes when you’ve started the process yourself, and always on your trusted device.

What Companies Can Do To Fight Back

Organizations like Microsoft, Google, Amazon, and others that offer device-based login flows need to take this threat seriously. A smart first step is reviewing how device codes are used across internal systems.

Businesses should also limit which devices can use these codes. By allowing only trusted or registered hardware to log in, they reduce the chances of a scammer gaining access. Less access means fewer opportunities for hackers to strike.

Stronger Access Rules Save the Day

Companies can add another line of defense with conditional access policies. These rules let systems block or challenge login attempts based on details like location, time, or device type.

For example, if someone logs in from another country at 3 a.m., the system might ask for more proof or deny access. These policies help catch odd behavior that doesn’t match a user’s habits, and they work even if someone has the right login credentials.

AI Can Spot The Weird Stuff

Behavior-based AI tools can be game changers. These systems learn how users normally behave, when they log in, where they log in from, and what devices they use.

If something looks off, like logging in from two places at once, the system can flag it or block access. This helps catch threats in real time. AI doesn’t replace human thinking, but it adds another smart layer of protection that never sleeps.

Keep An Eye On Meeting Activity

Because many of these scams use fake meeting invites, it’s smart for businesses to watch how meeting links are used. Security teams should check for patterns, like someone sending dozens of invites all at once.

If one account suddenly starts inviting lots of random people, especially at odd hours, that’s a red flag. Early detection of unusual meeting behavior can stop phishing campaigns before they spread across the network.

Train Your Team To Stay Sharp

Technology helps, but people are the first line of defense. Employees should get regular training on how to spot phishing scams, including new ones like device code phishing.

Training shouldn’t be a one-time thing. Cyber threats change all the time, so teams need to keep learning. Even short monthly updates can make a big difference in helping people stay alert and respond correctly when something feels off.

Curious how big players like OpenAI are stepping up? Check out what they’re doing to boost cybersecurity.

Stay Alert And Stay Protected

Device code phishing is just one example of how cyber threats are evolving. These scams use real tools in unexpected ways, and they’re hard to spot unless you know what to look for.

But you’re not powerless. By staying informed, asking questions, and using smart tools, you can stay one step ahead. Protecting your data doesn’t have to be complicated; it just takes awareness, good habits, and the right support from your team and technology.

Want to see how scammers are getting even smarter with AI? Take a look at their newest tricks.

Have you seen phishing attempts like this in your inbox? Share your experience in the comments, and if you found this helpful, give it a like.

Read More From This Brand:

• Shield Your Smartphone from Cyber Threats
• China Quietly Admits Role in Cyber Attacks
• 19 Cybersecurity Tools Every Business Should Have

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.