Authentication‑code attacks are scaling

A six-digit sign-in code is starting to look less like a deadbolt and more like a hotel keycard that can be copied while you’re still using it. Microsoft said on April 6 that a new phishing wave is compromising organizational accounts at scale, with hundreds of customer organizations hit each day. (microsoft.com) The trick uses a real Microsoft login feature called device code authentication. That feature was built for devices like smart TVs that cannot type a full password, so the device shows a short code and the user finishes sign-in on another screen. (microsoft.com) In a normal login, a code expires fast enough that attackers have to rush. Microsoft said this campaign generates the code only when the victim clicks, which keeps the sign-in window fresh and gets around the usual 15-minute limit. (microsoft.com) Microsoft also said the operation is heavily automated from start to finish. The attackers used short-lived cloud systems, Node.js backend code, and generative artificial intelligence to send role-specific lures about invoices, requests for proposals, and manufacturing workflows. (microsoft.com) That matters because the code itself is not the final prize. Once the victim completes the real sign-in, the attackers can steal the resulting authentication token, which works like a stamped wristband that says “this person already proved who they are.” (microsoft.com) Microsoft said those stolen tokens were then used to read email, create malicious inbox rules, and map company roles and permissions through Microsoft Graph. The follow-on activity focused especially on finance staff and executives, because those accounts can expose payments, contracts, and internal approvals. (microsoft.com) This is why “multifactor authentication is enabled” is no longer a complete answer. Microsoft still says multifactor authentication blocks more than 99.2% of account-compromise attacks overall, but these newer campaigns succeed by hijacking the session after the extra check is completed. (learn.microsoft.com) (microsoft.com) Security teams have seen this movie before in phishing kits that sit between the user and the real login page. Microsoft said Tycoon2FA, one of the biggest kits, helped drive tens of millions of phishing messages a month and reached more than 500,000 organizations by stealing session cookies and relaying multifactor authentication codes in real time. (microsoft.com) The defensive lesson is that one alert by itself is often too weak. A failed code challenge followed by a successful sign-in from a first-seen device, then unusual privilege use or sudden inbox-rule creation, tells a much clearer story than any one event alone. (microsoft.com) The safest login methods are the ones that bind the sign-in to the real website instead of trusting a code that can be relayed. Microsoft’s own guidance says users who already sign in with stronger passwordless methods or a passkey based on Fast Identity Online version 2 are in the stronger category that mandatory multifactor authentication enforcement recognizes. (learn.microsoft.com)