Reference: ALERT: New Phishing Attack Bypasses Multi-Factor Authentication - What You Need to Know

New Phishing Attack Bypasses Multi-Factor Authentication

This article is for everyone — This is a public service announcement, not just for Helix clients. No technical skills needed. We'll explain what this threat is, how to spot it, and what to do if you think you're being targeted. Of course if your IT doesn't even know about this issue .. hit the "Apply to be a client" button.

What You Need to Know Right Now

Hackers have found a new way to break into Microsoft 365 accounts (Outlook, Teams, OneDrive) that works even when you have multi-factor authentication turned on. This attack is happening right now and affects hundreds of companies every day.

The scary part: You can do everything "right" — check the email sender, use your authenticator app, even verify the Microsoft website is real — and still get hacked.

How This Attack Tricks You

Step 1: You Get a Convincing Email

The email looks legitimate and might be about:

  • A shared document someone wants you to review
  • An invoice or payment that needs attention
  • Your password expiring soon
  • A voicemail waiting for you
  • A business proposal or quote request

Important: These emails are created by artificial intelligence and look perfect. No spelling errors, proper grammar, and they mention details about your job or company.

Step 2: You Click the Link

When you click, you don't go straight to a fake website. Instead, you bounce through several legitimate cloud services that most companies trust. This makes the attack invisible to email security systems.

Step 3: You See a "Verification Code"

You land on a page that shows you a code (like "A1B2-C3D4") and tells you to:

  1. 1Go to microsoft.com/devicelogin in a new tab
  2. 2Enter this code to "verify your account"

This is the trap. The Microsoft website you're visiting is 100% real. The code entry page looks exactly like it should.

Step 4: You Complete Your Normal Login

You enter the code, then Microsoft asks for your normal login:

  • Your password
  • Your text message code, authenticator app, or approval notification

You complete everything like you always do. Microsoft confirms you're logged in successfully.

What you don't know: You just logged in a hacker's computer for them. They now have full access to your account.

What to Watch For

Email Warning Signs

  • Someone shared a document you weren't expecting
  • Urgent requests about payments, invoices, or expired accounts
  • Emails that arrived outside normal business hours
  • Messages asking you to verify something immediately

During the Attack

  • Any website asking you to enter a code at microsoft.com/devicelogin
  • Especially if you didn't just try to log into something yourself

Golden rule: If you didn't start a login process in the last 30 seconds, don't enter any verification codes anywhere.

If You Think You're Being Targeted

Don't Enter the Code

  1. 1Close all browser windows immediately
  2. 2Don't enter any codes or complete any login steps
  3. 3Take a screenshot of the suspicious page if possible

Report It Right Away

  1. 1Forward the suspicious email to security@company.com
  2. 2Call your IT department or security team immediately
  3. 3Include the phrase "device code phishing" when you report it

IMPORTANT: Time matters. If you already entered a code, call IT within the next 10 minutes if possible.

If You Already Fell for It

Don't panic. This happens to smart people every day. Here's what to do:

Immediate Steps

  1. 1Call your IT or security team right now
  2. 2Tell them: "I think I was hit by device code phishing"
  3. 3Give them the exact time you entered the code

What IT Will Do for You

  • Change your password immediately
  • Check if any hackers accessed your email or files
  • Look for suspicious activity in your account
  • Remove any devices the hackers might have registered
  • Check if any email forwarding rules were created

How You'll Know You're Protected

Your IT team will confirm:

  • Your password has been changed
  • Any suspicious logins have been blocked
  • Your email forwarding rules are normal
  • No unauthorized devices are connected to your account
  • Your account activity looks clean

You should also watch for:

  • Emails you didn't send in your Sent folder
  • New email rules you didn't create
  • Unusual activity notifications from Microsoft

What Happens Next

Company-Wide Changes

Your IT team might:

  • Block this type of login method for everyone
  • Require new security devices (like YubiKeys) for some users
  • Update email security rules
  • Send new training to all employees

Your Personal Account Security

Consider these steps for your personal Microsoft accounts too:

  • Never enter verification codes unless you started the login yourself
  • Use the Microsoft Authenticator app instead of text messages when possible
  • Review your account activity monthly at account.microsoft.com

Why Normal Security Advice Doesn't Work Here

Traditional advice like "check the sender" or "look for typos" won't help because:

  • The emails are AI-generated and perfect
  • They often come from real, hacked email accounts
  • The Microsoft website you visit is completely legitimate
  • Everything looks and works exactly like it should

The only way to spot this attack: Ask yourself "Did I just try to log into something?" If the answer is no, don't enter any codes.

Questions You Might Have

Q: How is this different from normal phishing? A: Normal phishing tries to steal your password on a fake website. This attack uses Microsoft's real website and your real login to hack you.

Q: I have multi-factor authentication. Aren't I safe? A: Not from this attack. You're completing your own MFA on behalf of the hacker.

Q: What if I use Google/Apple accounts for work? A: This specific attack targets Microsoft 365, but similar techniques exist for other services. The same "don't enter codes you didn't request" rule applies everywhere.

Q: Can this happen on my phone? A: Yes. The attack works the same way on phones, tablets, and computers.

Bottom Line

When in doubt, don't enter the code. It's better to call IT about a false alarm than to give hackers access to your company's data.

Still stuck? Email us at support@helixinc.com or call us 541.772.4692 — that's literally what we're here for.