CPU Squad

Pay attention to this fake “Microsoft” scam.

If an email asks you to enter a verification code on Microsoft's login page, don't enter the code.

That request is the giveaway for a phishing technique called device code phishing, which has hit over 340 organizations across the US, Canada, and Europe since February.

What makes this attack dangerous is that it bypasses Multi-Factor Authentication entirely, even strong MFA.

The attacker is tricking you into authorizing their device into your Microsoft 365 tenant.

You get an email about a shared SharePoint document, a payroll bonus PDF, or a meeting invitation from someone who looks legitimate.

The link sends you to login.microsoftonline.com, which is the real Microsoft login page.

The page asks you to type in a short verification code that was included in the email. You enter it and move on with your day.

But what you did was approve the attacker's device into your Microsoft 365 environment.

They now have a valid access token tied to your account.

They can read your email, download your files, and set up mailbox forwarding rules without ever needing your password again.

A turnkey phishing kit called EvilTokens started selling on Telegram in February 2026, which means even low-skill attackers can run these campaigns at scale.

To shut this attack down inside your business:

▶️ Block device code authentication flow in Entra ID for users who don't need it.

This protocol was designed for devices with limited input, which most office staff don't use. Open Conditional Access and create a policy that blocks device code flow by default.

▶️ Train your team. Microsoft will never email you a verification code to enter on its login page.

If a user gets an email instructing them to enter a code into login.microsoftonline.com, the email is phishing, no matter how legitimate the sender looks.

▶️ Use phishing-resistant MFA where possible, like FIDO2 hardware keys or Windows Hello for Business.

Authenticator app prompts are better than nothing, but they don't protect against this specific technique.

If you don't know how to do these things, let us know and we’ll help you out.

If a website ever tells you to press Windows Key + R, close the tab.

That single instruction is the giveaway for a fast-growing scam called ClickFix, which has been behind a wave of infostealer infections all year.

An infostealer is malware that scrapes every saved password, browser cookie, session token, and stored credit card...

You click a Google result that takes you to a hacked website.

A fake CAPTCHA pops up and tells you to press Windows Key + R, then Ctrl + V, then Enter to verify you're human.

The second you hit Enter, you've installed malware on your own machine.

This attack slips past most security tools because you run the command yourself.

No file was downloaded, so antivirus has nothing to scan.

The browser shows no warning.

From the operating system's perspective, you typed a command into a Windows utility, the same as any admin doing real work.

A few things you can do this week:

▶️ Tell your team that if any website prompts the user to press Win+R or paste something into the Run box, they should close the tab and report it.

▶️ Restrict PowerShell for non-IT staff using AppLocker or Windows Defender Application Control. Most office employees have no work reason to run PowerShell scripts.

▶️ Make sure your endpoint protection is doing behavioral monitoring and not just signature scanning. Microsoft Defender for Endpoint and most modern EDR tools have detection rules specifically for this attack chain.

There's no shame in falling for a fake CAPTCHA. They're designed to look real. But once your team knows the keystroke trick, this scam stops working on them.

We have all been in a webinar or Zoom call where the presenter shows a slide with a great quote or a long URL.

You scramble to write it down or take a screenshot before they change the slide and usually miss half of it.

If you use Microsoft PowerToys, you don't have to type anything.

Use the "Text Extractor" tool to draw a quick box around the text on the shared screen. It reads the pixels, converts them into real text, and copies it to your clipboard.

You can paste the notes directly into your own document without missing a beat of the presentation. It's one of those tiny tools that feels like magic every time you use it.