How Modern Phishing Bypasses Microsoft 365 Security and How to Stop It

May 19, 2026

Phishing attacks against Microsoft 365 have evolved. Instead of simply stealing credentials, attackers now focus on capturing authenticated sessions — allowing them to access accounts even after passwords are changed or MFA is completed.

Two techniques are driving this shift:

Adversary-in-the-Middle (AiTM) attacks

Users log into a fake Microsoft page, complete MFA as normal, and unknowingly hand over a valid session cookie that gives attackers ongoing access.

Device Code Flow abuse

Attackers trick users into entering a Microsoft device code on a legitimate login page, effectively approving access for the attacker’s session.

Because both methods use legitimate Microsoft authentication flows, they can bypass traditional password-focused security controls and are harder to detect.

Defending against these attacks requires:

Phishing-resistant MFA and authentication methods
Conditional Access policies (device and location controls)
Restricting or disabling device code flow where not needed
Strong email and endpoint phishing protection

To learn more about these attacks and how we can secure your Microsoft 365 environment, download our whitepaper Hook, Line and Sinker: How Modern Phishing Bypasses Microsoft 365 and How to Stop It, and contact us today to upgrade your security!

Share the Post:

We’ve Achieved Cyber Essentials Plus Certification!

We’re pleased to share that ANother Managed IT Services Ltd has achieved Cyber Essentials Plus certification — an independently verified mark of strong cyber security. This is a significant milestone for our company as we expand our cyber security capabilities!

Email Phishing Compromise – Case Study Report

Any business can be a target of a phishing attack. In this post, we’ll share a recent phishing attempt on a client, how we handled it, and what we did to stop it happening again.