By Scott Carr.
Accounting and CPA firms have invested in multi-factor authentication, trained staff on phishing awareness, and tightened access controls. Those investments were sound. But a rapidly spreading attack technique is now rendering MFA insufficient on its own — and it’s hitting professional services firms with increasing frequency.
The attack is called device code phishing. It exploits a legitimate feature of Microsoft 365, requires no fake website, and works precisely because it uses Microsoft’s own infrastructure. Firm staff who fall for it do everything correctly from a security standpoint — and still hand an attacker complete access to their Microsoft 365 environment.
Understanding the Attack
Microsoft’s device code authentication was designed for hardware that can’t display a traditional login screen — smart TVs, shared conference room systems, and similar devices. Rather than entering credentials directly on the device, a user navigates to a trusted Microsoft page on a separate device and enters a short code. That code completes the authentication.
Recommended Articles
Threat actors have found a way to weaponize this flow. The attacker initiates the device login process themselves, generating a legitimate device code. They then send a phishing email — often appearing to share a tax document, client engagement file, or internal HR record — that walks the recipient through entering that code on Microsoft’s real login page. The victim completes their own MFA, confirms the login on a legitimate Microsoft domain, and unknowingly delivers a valid authentication token to the attacker.
Security researchers at Proofpoint confirmed a dramatic surge in these campaigns beginning in late 2025. Both financially motivated criminal groups and state-aligned threat actors are now using the technique at scale. The attacks have targeted professional services firms, financial institutions, and regulated industries specifically because the data these organizations hold is valuable and the accounts are connected to sensitive client records.
For CPA firms, the exposure is significant. A compromised Microsoft 365 account gives an attacker access to email archives, shared drives, client portals, and any integrated software connected to that identity — including tax preparation platforms, document management systems, and billing tools.
Steps Firms Should Take Now
Addressing this vulnerability requires both a technical configuration change and targeted staff education. Standard phishing awareness training does not cover device code phishing, because the visual indicators employees are taught to watch for — fake URLs, spoofed login pages, credential harvest forms — are absent. The attack happens on the real Microsoft website.
These are the steps firms should prioritize:
Block device code flow through Microsoft Entra Conditional Access. This is the most effective mitigation available. Firms can create a Conditional Access policy that prevents device code authentication for all users. Most accounting firms have no legitimate use case for this feature, and disabling it closes the primary attack vector. Microsoft recommends deploying the policy in report-only mode first to assess any operational impact before full enforcement.
Conduct an OAuth application audit. Review every third-party application that has been granted access to the firm’s Microsoft 365 tenant. Post-compromise, attackers frequently authorize additional applications to establish persistent access. Anything not deliberately and currently authorized should be revoked.
Review sign-in logs for anomalies. Examine the Microsoft Entra sign-in logs for all firm accounts. Logins from unexpected geographic locations, unfamiliar device types, or outside normal business hours are indicators that warrant immediate investigation.
Check for unauthorized email forwarding rules. After a successful account takeover, attackers commonly create inbox rules that silently forward copies of outgoing email to an external address. This is one of the most common and least-noticed post-compromise actions.
Deliver targeted staff training specific to this attack type. The critical message is simple: any request to enter a code on a Microsoft authentication page that the staff member did not themselves initiate is suspicious and should be reported immediately. That one rule, clearly communicated, is the behavioral control that complements the technical fix.
Confirm your cyber liability coverage addresses account takeover. Many policies include specific language around authentication-related incidents. Firms should review their coverage with their broker and understand the notification obligations that would apply in a confirmed compromise.
What Clients May Ask
Firm partners should be prepared for client questions if a breach occurs or if the topic arises in conversation. Clients in financial services are increasingly sophisticated about data security and have every right to ask how their records are protected.
The most common concern will be whether their financial data was accessible. A compromised email account means any document stored in or transmitted through that account during the window of unauthorized access is potentially exposed — including engagement letters, tax returns, financial statements, and payroll information.
Clients may also ask whether MFA alone provides sufficient protection. The direct answer is that it does not against this specific attack, and that the additional controls described above are necessary to address it. Firms that can demonstrate they have implemented those controls are in a better position to answer that question with confidence.
Scott Carr, owner of Farmhouse Networking in Grants Pass, Oregon, is a veteran Network & Computer Systems Architect with over 30 years of IT experience. For over a decade, he’s led his team in delivering proactive, secure, and fully managed IT services to more than 80 businesses — including accounting and finance firms that rely on data security, compliance, and efficiency. Scott’s hands-on, jargon-free approach ensures every client understands their technology and gains confidence in their systems. His firm is known for fast, responsive support — most issues are resolved within 15 minutes — and deep expertise in cybersecurity, network design, and IT compliance. Learn more about how Farmhouse Networking supports the accounting industry at https://www.farmhousenetworking.com/finance-it-support/.
Sign in to get access to this free resource, and all of our whitepapers and reports.
Download this content today!
Register Now Already registered? Click here to Log In
