Microsoft 365 remains one of the most important business platforms in the world, which also makes it one of the most attractive targets for cybercriminals. A recent report from the Microsoft security team highlighted that the EvilTokens Phishing-as-a-service (PhaaS) phishing toolkit now supports device-code phishing attacks designed to hijack Microsoft 365 accounts. This matters for partners because it shows how phishing techniques continue to adapt around familiar login workflows, multi-factor authentication, and user trust.
The Emergence of Device-Code Phishing
Device-code phishing can be particularly dangerous because it does not always look like a traditional fake login page. Instead, attackers may attempt to trick users into entering a legitimate-looking code or completing an authentication flow that grants access to an attacker-controlled session.
For customers, the experience can feel routine. They may believe they are completing a normal Microsoft sign-in step, approving access, or resolving an account issue. That familiarity is what makes the technique so effective.
This is an important advisory topic for partners because many customers believe MFA alone solves credential theft. MFA is essential, but it does not remove the need for layered email security, user awareness, conditional access, monitoring, and rapid threat detection.
Attackers are increasingly designing campaigns that work around the controls users recognise. They use trusted brands, credible prompts, and login experiences that feel familiar. The goal is not always to break authentication outright. Often, it is to manipulate the user into completing the attacker's workflow.
Partners should use this development to revisit Microsoft 365 security conversations with customers.
The most useful discussion is not whether MFA is enabled. It is whether customers understand how modern phishing attacks attempt to exploit authentication flows, trusted links, and user behaviour.
What Partners Can Discuss With Customers
Partners can ask customers:
-
Are users trained to recognise suspicious device-code prompts?
-
Are Microsoft 365 sign-in alerts and unusual access patterns monitored?
-
Are conditional access policies configured appropriately?
-
Are third-party email security controls in place to stop phishing before users are exposed?
-
Are customers relying too heavily on end users to make the right decision under pressure?
For many businesses, Microsoft 365 is the centre of communication, collaboration, identity, and productivity. That makes account takeover a major operational risk, not just an IT issue.
The partner opportunity is to help customers understand that email security, identity security, and Microsoft 365 resilience are now deeply connected.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, AI-powered zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
