When MFA Isn't Enough: How Attackers Hijack Microsoft 365
A new scam gets into Microsoft 365 without your password or your MFA code. Here is how the Microsoft 365 login trick works and how to protect your practice.
- Security
- Microsoft 365
- Phishing
You did the responsible thing. You turned on multi-factor authentication across your practice, so that even if a password is stolen, a criminal still cannot get into your Microsoft 365 account. That single step blocks the large majority of attacks, and every practice should have it switched on.
So it is unsettling to learn that a new scam is getting into Microsoft 365 accounts without the password and without breaking that second step. It has been doing the rounds since spring 2026, sold to criminals as a ready-made kit, and it has already been used in hundreds of attacks across the UK, Europe and North America. For a firm that holds client tax records, payroll data and bank details, it is worth understanding, because the fix is straightforward once you know what you are dealing with.
First, the reassurance: keep MFA on
Nothing below is a reason to turn off multi-factor authentication. It is still one of the most effective controls you have, and it stops the everyday password-stuffing attacks that hit small firms constantly. The point of this article is that MFA is one layer, not the whole wall. Understanding where it has a gap lets you close that gap, rather than assuming you are fully covered when you are not.
How the scam actually works
The trick abuses a legitimate Microsoft feature, which is exactly why it is so effective. Microsoft lets you sign certain devices in using a short code, the sort of thing you use to log a smart TV or a meeting-room screen into a Microsoft account without typing a long password on an awkward keyboard. You go to the genuine Microsoft sign-in page, type in a code, and approve it.
Here is how a criminal turns that against you:
- They send a convincing email that looks like it is from Microsoft or Outlook, often well written and personalised. The current kits even generate these with AI, so the old giveaways of poor spelling and clumsy grammar are gone.
- The email asks you to sign in, and gives you a code to enter. Crucially, it sends you to the real Microsoft login page, not a fake one. Everything looks correct, because it is correct.
- You enter the code and complete your normal multi-factor step.
- Without realising it, you have just approved the attacker’s device, not your own. Microsoft issues a valid access token to them, and they now have a working session into your Outlook, Teams and OneDrive.
No password was stolen. No MFA code was cracked. You were simply persuaded to approve a sign-in on someone else’s behalf.
Why your one-time code did not save you
Multi-factor authentication is designed to answer the question “is the right person signing in?” It does that well. What it cannot do is judge why you are signing in or whose device you are approving. If you have been convinced to complete that step as part of what feels like a normal login, the code does its job perfectly and lets the criminal straight in.
This is why awareness alone is not enough either. The email arrives on a busy day, it looks legitimate, it points to the real Microsoft site, and a member of staff under pressure follows the steps. It is a failure of the conditions, not the person, and the answer is better technical controls rather than blame.
What this means for a practice
Once an attacker has a live session in your Microsoft 365, the damage follows a familiar pattern. They read email to understand who pays whom, set up quiet forwarding rules to copy correspondence out of the practice, and look for the moment to redirect a client payment or file. As we covered when looking at how one compromised login exposes everything, a single account is rarely just one mailbox. It is a doorway to the lot.
For an accountancy firm the stakes are higher than for many businesses. You hold sensitive personal and financial data in volume, a breach can become a reportable matter for the Information Commissioner’s Office, and the worst possible time to lose access to your systems is the January self-assessment peak.
How to protect your practice
The good news is that the defences are practical and proportionate.
Turn off the feature this relies on
Most practices never need code-based device sign-in except for a handful of shared screens. Switching it off everywhere else removes the exact mechanism the scam depends on, with no effect on normal work. This is a quick change for whoever manages your Microsoft 365.
Use phishing-resistant logins for the people who matter most
Partners, anyone in finance and anyone with administrator access should move to a login method that cannot be handed over by mistake. Passkeys, FIDO2 security keys and Windows Hello tie sign-in to a specific device and person, so there is no code to read out or approve for a stranger. This is the single strongest step, and it is part of the wider shift we wrote about in passwords are on the way out.
Keep an eye on sign-in activity
A regular look at your Microsoft 365 sign-in logs, for logins from unexpected places or at strange hours, and a check for new inbox forwarding rules, will catch most intrusions early. This kind of monitoring is part of good managed IT support and does not need to fall on a partner to remember.
Build the habit of pausing
If an unexpected message asks you to enter a code or approve a sign-in you did not start, the right response is to stop and check. A login prompt you were not expecting is a red flag, even when it points to a genuine Microsoft page.
Where to start
If you are not sure whether device code sign-in is switched on, who in your practice has the strongest protection, or whether anything odd is already happening in your sign-in logs, that is exactly what a review is for. Our free Practice IT Health Check covers your Microsoft 365 security posture in plain English, and stronger account protection is a core part of our cyber security service. Keep MFA on, and make it the first layer of several rather than the only one.
Frequently asked questions
We already use multi-factor authentication. Are we still at risk?
Possibly, yes. This scam does not break multi-factor authentication, it tricks a member of staff into approving the attacker's sign-in for them. Your one-time code still works exactly as designed, it is just being used against you. Keep MFA on, it remains essential, but treat it as one layer rather than the whole defence.
What is a phishing-resistant login method?
It is a way of proving who you are that cannot be handed to a stranger by mistake. Passkeys, FIDO2 security keys and Windows Hello tie your sign-in to a specific device and to you, so there is no code to read out or approve for someone else. They are the strongest practical defence against this kind of attack.
Should we just turn off device code sign-in?
For most practices, device code sign-in is only needed for a few specific devices like a meeting-room display. Switching it off everywhere else removes the exact feature this scam relies on, with no effect on normal day-to-day work. It is worth reviewing with whoever manages your IT.
How would we know if this had already happened to us?
The clearest signals are in your Microsoft 365 sign-in logs: logins from unexpected countries or at odd hours, and new mailbox rules that quietly forward email out of the practice. A regular review of sign-in activity and inbox rules will catch most of it early.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check