Microsoft drops SMS for logins

Microsoft is removing SMS as an authentication and account-recovery method for personal accounts and replacing it with passkeys and verified email, according to a Microsoft support page published in May. The company said SMS-based authentication has become “a leading source of fraud” and described passkeys as phishing-resistant. The change applies to consumer Microsoft accounts, not Microsoft Entra ID work and school tenants. At the same time, Microsoft and outside security researchers are describing attacks that do not try to break authentication so much as route around it. A Kiteworks report published May 20 said attackers are abusing Microsoft 365’s device-code flow in AI-assisted phishing campaigns, while Microsoft said on May 18 that a threat actor it tracks as Storm-2949 used stolen Entra ID credentials and legitimate cloud administration features to steal data from Microsoft 365 and Azure environments. (support.microsoft.com) ### Why is Microsoft removing SMS from personal accounts? Microsoft said it is “phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts” as part of a push toward passwordless sign-ins. The support page says users will be prompted to “Sign in faster” by creating a passkey and adding a verified email. (kiteworks.com) Microsoft said SMS is vulnerable to phishing and SIM-swap attacks, and that moving to passkeys reduces exposure to account takeover. The company also said passkeys use device biometrics or a PIN and can improve account recovery when users change phone numbers or lose devices. ### What makes this more than a consumer-account story? (support.microsoft.com) Kiteworks said the Microsoft 365 device-code flow is being used in phishing campaigns that compromise “hundreds of organizations daily.” Its May 20 report said attackers use a legitimate Microsoft authentication mechanism to obtain valid session tokens, then use Microsoft Graph API access for mailbox and data theft. (support.microsoft.com) Microsoft’s own threat reporting points to a similar pattern in enterprise environments. The company said Storm-2949 did not rely on malware or traditional on-premises techniques, but instead used “legitimate cloud and Azure management features” after an identity compromise to gain control-plane and data-plane access. (kiteworks.com) ### How did Storm-2949 get in? SC Media, citing Microsoft’s findings, reported on May 20 that Storm-2949 targeted privileged users including IT staff and senior leadership to obtain Microsoft Entra ID credentials. The report said the actor abused the self-service password reset flow, posed as IT support, and pushed victims to approve multifactor prompts before enrolling Microsoft Authenticator on the attacker’s device. (microsoft.com) Microsoft said the campaign escalated from identity compromise into a broader cloud attack that hit Microsoft 365 applications, file-hosting services and Azure-hosted production environments. The company said the actor moved laterally by blending into expected administrative behavior. ### What is the common thread across these incidents? (scworld.com) Microsoft’s support and security materials describe different environments but a similar problem: attackers focus on the login and recovery paths that remain available. In the consumer case, Microsoft is removing SMS because it says the method is exposed to fraud and phishing. In the enterprise cases, attackers abused device-code authentication, self-service password reset and other legitimate administration features rather than deploying malware first. (microsoft.com) That means the relevant inventory is not just which sign-in method an organization prefers, but which methods and flows are still enabled. Microsoft said Storm-2949 used administrative features after credential theft, and Kiteworks said device-code phishing succeeds because it rides a legitimate authentication flow. That is an inference from the reported attack paths. (support.microsoft.com) ### What should readers watch next? Microsoft’s support page says personal-account users will be guided to add a verified email and create a passkey as SMS is phased out. Microsoft’s May 18 Storm-2949 post also includes mitigation guidance tied to identity, endpoint and cloud monitoring, while the May 20 Kiteworks report focuses on device-code abuse in Microsoft 365. (support.microsoft.com) (microsoft.com)