Keizer Computer It

Pay attention to this fake “Microsoft” scam.

If an email asks you to enter a verification code on Microsoft's login page, don't enter the code.

That request is the giveaway for a phishing technique called device code phishing, which has hit over 340 organizations across the US, Canada, and Europe since February.

What makes this attack dangerous is that it bypasses Multi-Factor Authentication entirely, even strong MFA.

The attacker is tricking you into authorizing their device into your Microsoft 365 tenant.

You get an email about a shared SharePoint document, a payroll bonus PDF, or a meeting invitation from someone who looks legitimate.

The link sends you to login.microsoftonline.com, which is the real Microsoft login page.

The page asks you to type in a short verification code that was included in the email. You enter it and move on with your day.

But what you did was approve the attacker's device into your Microsoft 365 environment.

They now have a valid access token tied to your account.

They can read your email, download your files, and set up mailbox forwarding rules without ever needing your password again.

A turnkey phishing kit called EvilTokens started selling on Telegram in February 2026, which means even low-skill attackers can run these campaigns at scale.

To shut this attack down inside your business:

▶️ Block device code authentication flow in Entra ID for users who don't need it.

This protocol was designed for devices with lim

If you run a business, an employee can easily email your client list to their personal account, whether by accident or on purpose.

Most companies just trust their staff not to do this.

But you need a technical rule that stops sensitive data from leaving your network in the first place.

If you use Microsoft 365, you can use a tool called Microsoft Purview to set up Data Loss Prevention rules.

When you turn this on, the system scans every outgoing email, Teams messages, SharePoint/OneDrive files, endpoint devices, browser activity, and Microsoft 365 Copilot prompts before processing.

If it detects sensitive information like Social Security numbers, credit card details, or specific internal company tags, it physically blocks the email.

You do not have to monitor employees manually.

Software companies are changing their terms of service to train their AI on your internal company data.

If you use tools like HubSpot, Salesforce, QuickBooks, or Asana, you need to run a privacy audit this week.

The idea that your data will be leaked to the public is a bit overstated. Most of these platforms anonymize the information�

However, they are still feeding your real business data into their external AI models.

Getting them to stop is not always a simple toggle switch in your account settings.

Many of these platforms force you to submit a formal support ticket or email request to opt out.

And even when you do, it does not retroactively remove the historical data they already grabbed.

To protect your information, prioritize enterprise software plans that include a strict "Do Not Train" clause in the contract.

You can also use automated privacy tools to enforce these rules across your entire software stack instead of doing it manually.

Granting AI agents access to your data comes with severe risks.

You should ONLY connect these automated systems to your live data if you have strict security boundaries.

Here are just a few of the permission controls you MUST implement:

✅ Restrict all AI agents to "read-only" access within your network.
✅ Deny the automated system any permission to authorize payments or move funds.
✅ Block the AI's ability to delete or permanently alter original files.
✅ Audit the API permissions of any third-party AI tool before connecting it.

That’s just the bare minimum.

You must define limitations and rules for every single process that AI touches.

If you want a full AI Acceptable Use Policy template to implement in your business, comment below with “AI” and we’ll send it to you.