A Microsoft 365 phishing attack hit an accounting manager on an ordinary Tuesday morning. She opened her inbox and saw what looked like an internal email thread. The display name showed her CEO’s name. The To field listed her own department’s address. The subject line referenced an outstanding vendor invoice. And the message — written in plain, professional language — asked her to process a payment quickly to keep an early-payment discount.
Nothing looked unusual. The sender name matched. The email address used her organization’s own domain. There was no spelling error, no suspicious attachment, and no link to a foreign website. It read exactly like something her CEO would send.
She processed the payment. The money was gone within hours.
Microsoft’s security team has documented this exact scenario playing out across organizations of all sizes. The scam email appears as an internal thread — both the To and From fields use the organization’s own domain, with the CEO’s name as the display name. It looks like a legitimate internal message. That is precisely the point.
This is not a hypothetical. It is an active, documented Microsoft 365 phishing attack. Since March 2026, researchers have observed 10 to 15 distinct campaigns launching every 24 hours, with hundreds of organizations compromised daily. Moreover, the volume is still climbing.
⚠ Active Threat: We are currently seeing a significant spike in two techniques being used together — Direct Send abuse and Device Code phishing — to compromise Microsoft 365 accounts. Neither technique is new, but they are increasingly being combined and used at scale against businesses of every size.
What Is a Microsoft 365 Direct Send Phishing Attack?
To understand how this Microsoft 365 phishing attack works, it helps to know a little about how Microsoft 365 handles email behind the scenes.
Microsoft 365 includes a feature called Direct Send. It was designed for legitimate internal purposes — allowing printers, scanners, and internal business applications to send emails within an organization without requiring a user login. Think of the confirmation email your office printer sends when a scan completes. That is Direct Send in action.
However, the feature was never designed with security as its primary concern. Because Direct Send does not require authentication, a threat actor can send an email that appears to come from inside your organization — or even from your own email address. They never need to log into your account, guess your password, or touch your multi-factor authentication.
All they need is your organization’s email domain. That information is typically available through your website, LinkedIn, or previous email correspondence.
As a result, the phishing email arrives in your inbox looking completely internal. There is no “external sender” banner. There are no warning flags from your spam filter. It looks like it came from HR, from IT, or from your CEO — because your mail system received it through your own infrastructure.
Device Code Phishing: Why This Microsoft 365 Attack Bypasses MFA
The second part of this attack is what makes it especially dangerous for businesses that rely on multi-factor authentication.
Device Code phishing exploits a legitimate Microsoft authentication method called the Device Authorization Grant flow. Microsoft originally designed it for devices that cannot display a traditional login page — think smart TVs, shared kiosks, or equipment with limited input options. To sign in on one of these devices, you visit a Microsoft URL, enter a short code, and the device gets authenticated. It is a genuine Microsoft feature used every day for legitimate purposes.
However, attackers have found a way to weaponize it. They generate a real Microsoft device code, then deliver it through a convincing spoofed email that appears to come from inside your organization. The email asks you to review a DocuSign document, access a shared file, or listen to a voicemail. To do so, you enter a short code.
That code is not a document access code. It is a Microsoft authentication token. The moment you enter it, the attacker gains a valid Microsoft 365 session — with full access to your email, files, calendar, and connected applications. No password. No MFA prompt. No warning.
⚠ This is why this Microsoft 365 phishing attack is so dangerous: Multi-factor authentication — which most organizations rely on as their primary line of defense — does not protect against Device Code phishing. The attacker never triggers an MFA request because you are the one completing the authentication on a legitimate Microsoft page. They simply collect the result.
How This Microsoft 365 Phishing Attack Works in Practice
On their own, each technique presents a serious problem. Together, however, they are used at scale to compromise hundreds of organizations every day.
Direct Send abuse solves the delivery problem for attackers. It gets a convincing email past your spam filter and into your inbox. Because the message appears to come from inside the organization, it bypasses the external sender warnings that employees have been trained to look for.
Device Code phishing then solves the access problem. Once a user enters the code, the attacker has everything they need — a valid authenticated session in Microsoft 365, with full access to email, OneDrive, SharePoint, and Teams. Furthermore, stolen tokens grant persistent access that continues until someone manually revokes them.
Together, they remove the two biggest obstacles attackers typically face: getting the email delivered credibly, and getting past multi-factor authentication. That is why security researchers consider this combination one of the most significant active threats facing small and mid-size businesses today.
What Does a Real Microsoft 365 Phishing Email Look Like?
The Invoice Payment Scam
An email arrives that appears to be a thread between your CEO and your accounting department, referencing a specific vendor invoice and asking for prompt payment to retain a discount. Both the From and To fields use your own organization’s email address. The language is professional and direct. There is a quiet urgency to it — but nothing that feels obviously out of place.
The DocuSign Document Request
You receive what looks like a DocuSign notification asking you to review and sign a document. To access it, you are asked to enter a short alphanumeric code. The email may be styled to look exactly like a real DocuSign alert, including logos and formatting. The code field looks routine. It is not.
The Voicemail or Shared File Notification
An email from what appears to be your internal IT department notifies you that you have a new voicemail or a shared file waiting for you. A PDF attachment contains a QR code, or the email body contains a prompt to enter a code to access the content.
🔎 The key sign to watch for: If you receive any unexpected email — from any sender, including yourself, your CEO, or IT — asking you to enter a code to access a document, voicemail, or file, stop. Do not enter the code. Call the person who appears to have sent the email using a phone number you already know and verify before taking any action.
How to Protect Your Business From a Microsoft 365 Phishing Attack
The good news is that both attack vectors can be significantly reduced — or closed entirely — with the right configuration. Here is what we recommend for businesses using Microsoft 365.
1. Disable Direct Send If Your Organization Does Not Need It
Many organizations have Direct Send enabled simply because nobody turned it off — not because it is actively used. If your business does not have printers, scanners, or legacy applications that depend on this feature, disabling it removes this attack surface entirely. Your IT provider can verify whether it is in use and disable it safely if it is not.
2. Block Device Code Authentication Through Conditional Access
The Device Code authentication flow can be blocked through Microsoft’s Conditional Access policies. Most small and mid-size businesses do not have devices that require this method. Therefore, blocking it closes the door on Device Code phishing completely. This is one of the highest-impact steps you can take right now to protect your Microsoft 365 environment.
3. Train Your Team to Recognize the Warning Signs
User awareness remains one of the most important defenses against a Microsoft 365 phishing attack. CISA identifies phishing as the most common entry point for cyberattacks on businesses and recommends regular employee training as a core defense. Make sure your staff understands the following.
- Any email appearing to come from their own address — or from a senior colleague making an unusual financial request — should be verified by phone before taking action.
- No legitimate business service delivers authentication codes via email and asks you to paste them somewhere to access a document.
- An email landing in junk despite looking internal is a warning sign — not a reason to move it to the inbox and act on it.
4. Review and Tighten Your Email Authentication Settings
Enforcing email authentication protocols — including SPF, DKIM, and DMARC — adds an important additional layer of protection. These settings help ensure spoofed emails get flagged before they reach your users. In addition, auditing your mail flow rules for unexpected relay permissions is a worthwhile step, especially if your Microsoft 365 environment has not had a security review in several years.
Why Active Monitoring Matters More Than Ever
One reason these Microsoft 365 phishing attacks succeed is that they look routine. They do not set off alarms the way a ransomware attack does. Instead, they slip in quietly. The damage — account compromise, unauthorized data access, financial fraud — often goes unnoticed for days or weeks.
This is where active security monitoring makes a real difference. Unusual login locations, authentication patterns that do not match a user’s normal behavior, and mail flow anomalies are all signals that something is wrong. Managed security services exist specifically to catch these indicators before the damage compounds.
If you have read our post on Zero Trust security for small business, this is exactly the kind of scenario Zero Trust architecture is designed to address — treating every authentication request as potentially untrusted, regardless of where it appears to come from.
If your organization does not currently have that layer of protection in place, now is a good time to have the conversation. Contact us Today.