Beware of Device Code Phishing
Hackers are exploiting trusted authentication flows — like Microsoft Teams and IoT logins — to trick users into handing over access tokens, bypassing MFA and slipping undetected into corporate networks.
MFA reduces account takeover by requiring another proof of identity, limiting damage from stolen passwords; protect fallback and recovery paths too.
Search across headline titles and summaries.
Background for this topic.
MFA requires a user to prove identity with at least two different factor types: something they know, have, or are. It limits account takeover when a password is exposed, but protection depends on the factors and their implementation; two passwords are not independent factors, and a one-time code delivered by SMS is generally weaker than a phishing-resistant credential.
Attackers may steal or relay one-time codes through phishing, trigger repeated push prompts to induce approval, exploit weak enrollment or account-recovery processes, or hijack an authenticated session after MFA succeeds. Prefer phishing-resistant methods such as FIDO2/WebAuthn security keys or platform credentials for sensitive access, protect enrollment and recovery as strongly as login, restrict weaker fallbacks, and monitor unusual authentication activity. MFA reduces risk but does not replace endpoint, session, or privileged-access controls.
Hackers are exploiting trusted authentication flows — like Microsoft Teams and IoT logins — to trick users into handing over access tokens, bypassing MFA and slipping undetected into corporate networks.
Rapid7 found that 56% of all compromises in Q1 2025 resulted from the theft of valid account credentials with no MFA in place
Scattered Spider isn't one group — it's an identity-first threat model evolving fast. From vishing to AiTM phishing, they're exploiting MFA gaps to hijack the cloud. Watch the Push Security webinar to learn how their identity-based tactics work — and how to stop them. [...]