You’re preparing for an interview at a company you’ve been wanting to join for months.

After applying online, someone from the hiring team reaches out to you on WhatsApp. They introduce themselves as a recruiter and say they’d like to schedule a quick interview.

Everything seems normal.

The conversation is polite, professional, and even reassuring. They mention the role you applied for and ask if you’re available for a short meeting in the next hour.

Then they send a message:

“Please join the Microsoft meeting by entering this verification code in the below link.”

They include a short code and a link to the official Microsoft Device Login Page.

You click the link.

It’s a real Microsoft page.

You enter the code, sign in to your account, complete the MFA prompt, and wait for the meeting to start.

But the meeting never begins.

Instead, somewhere else in the world, someone just gained access to your account.

---

What Just Happened?

You didn’t enter your password on a fake website.

You didn’t download malware.

You even authenticated on the legitimate Microsoft login page.

Yet the attacker now has access to your account.

This is a modern phishing technique known as Device Code Phishing, which abuses a legitimate authentication mechanism in Microsoft Entra ID.

Instead of stealing your password, the attacker tricks you into authorizing their device session.

Once you complete the login process, Microsoft issues authentication tokens that allow the attacker to access services such as:

• Microsoft Outlook
• Microsoft Teams
• Microsoft OneDrive
• Microsoft SharePoint

All without ever knowing your password.

---

Not Every Scenario is THIS Easy to Spot

One of the best examples is listed by Microsoft’s own security blog, which you can visit at https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

A carefully crafted social engineering campaign for a vulnerable victim, based on their interests is what we get to see, as the attacker lures the victim to join a meeting that would be a “Video Conference”.

You can also see how the attacker hints at urgency, stating that the security ID is only valid for a small amount of time, whereas Teams’ invites barely expire this soon. Post the conversation, the victim shares their official email address where they receive a deceitful yet very legitimate-looking meeting invite with a link to visit and a code to enter.

When the link is accessed, it does state that once the victim enters the code displayed on their app or device, it will have access to their account. It also prompts, not to enter codes from untrusted sources, but trust is a very human thing. And where interests align, people won’t think much.

As soon as the victim enters the code, the attacker now has access to their connected accounts without ever having the passwords.

When someone believes they are speaking with a recruiter, they are far less likely to question instructions, especially if the request appears simple and legitimate.

Till this point we were being trained to spot typos, and typosquatting in emails, but what if someone tricks you using casual chat language?

Messaging apps like Signal or WhatsApp make this even easier for attackers.

Unlike emails, which often contain warning signs such as suspicious domains or formatting issues, a direct message feels more personal and trustworthy.

And because the login happens on Microsoft’s real website, traditional phishing advice like “check the URL” no longer helps.

---

The Important Lesson

The key thing to remember is this:

You should never enter a device login code unless you initiated the login yourself.

If someone sends you a code and asks you to authenticate on their behalf, even if the website is legitimate, it could be a phishing attempt.