Back to all insights
HIPAAMFAPhishingMicrosoft 365Healthcare

Device Code Phishing Is Bypassing MFA: What Small Practices Should Do

Edward Stratton · · 4 min read

A New Way Around the MFA You Already Turned On

If your practice enabled multi-factor authentication (MFA) on Microsoft 365, you closed one of the most exploited doors in healthcare IT. That was the right move, and it still is. But attackers have found a way to walk past it — and it is now happening at scale.

The Hacker News reports that a phishing-as-a-service platform called Kali365, first observed in April 2026, is being used to obtain Microsoft 365 access tokens and bypass MFA “without intercepting the user’s credentials.” A separate kit, EvilTokens, is being used to run the same style of attack at scale, abusing the OAuth 2.0 device authorization flow, according to The Hacker News. The scale is not small: Barracuda detected more than seven million device code attacks between March and April 2026, The Hacker News reports.

“The surge of device code phishing is the natural progression of credential phishing,” Proofpoint noted, as quoted by The Hacker News. As more people learn to spot MFA-bypass techniques, criminals get creative.

How the Attack Actually Works

Device code login exists for a good reason: it lets you sign in on devices that are awkward to type on, like a smart TV or a conference-room display. You start the login on one device, get a short code, and approve it on a second device you already trust.

Attackers turn that convenience into a trap. They start a login session, then send a clinician a convincing email — a fake IT notice, a shared-document lure — that directs them to Microsoft’s real device login page and asks them to enter the attacker’s code. Because the page is genuine and the staff member is logged in, MFA is satisfied. The catch is that the session being approved belongs to the attacker.

The result is not a stolen password. It is captured OAuth access and refresh tokens. As The Hacker News describes it, those tokens granted “immediate mailbox access and post-compromise activity,” and in some cases attackers set up inbox rules to hide security notifications and extend how long they went unnoticed.

Why This Matters for a Medical or Dental Practice

A compromised mailbox is rarely the end goal — it is the launching pad. Old emails routinely contain protected health information (PHI): referrals, lab results, insurance details, patient questions. An attacker reading that inbox has a HIPAA breach on their hands and yours. From there, they send internal phishing that staff trust because it comes from a real colleague, and they reset passwords on other connected services.

The hard part is that your existing MFA prompt may show nothing wrong. The staff member did approve a login — they were just tricked about whose login it was. This is exactly the “gap between people” that defines most healthcare breaches, and it is why security has to be a team effort rather than one setting you switch on and forget.

Practical Steps That Help

You do not need to overreact or buy something expensive. A few focused, affordable moves meaningfully raise the bar:

  • Restrict the device code flow. Most small practices never need device code sign-in. Microsoft 365 Conditional Access can block it for the people and locations that don’t use it, which removes the attack surface entirely.
  • Move toward phishing-resistant authentication. Passkeys and FIDO2 security keys are bound to the real site and don’t hand over a reusable token. See our guide on MFA for healthcare and where it matters most.
  • Adopt token-theft protections. Google’s Chrome Device Bound Session Credentials feature, now generally available, cryptographically binds session cookies to a device to keep stolen cookies from being used to bypass MFA, BleepingComputer reports.
  • Watch for malicious inbox rules that auto-delete or hide security alerts — a classic post-compromise tell.
  • Keep training current. Teach staff that a login prompt or code they didn’t personally start is a stop-and-call moment.

For the full technical breakdown of these campaigns, read The Hacker News reporting on Kali365 and EvilTokens.

The Byzantine Takeaway

MFA is still essential — this is not a reason to turn it off. It is a reminder that no single control is the finish line. Layered defense, current training, and tightening the settings attackers actually abuse are what keep a small practice ahead. These steps strengthen your security posture and support your HIPAA Security Rule efforts, and none of them requires an enterprise budget. For the bigger picture, see our HIPAA Security Rule resource hub.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 1, 2026·11 min read

Vendor Risk Management for Small Healthcare Practices

Your patient data flows through dozens of outside companies. A practical way for a small practice to manage third-party and vendor risk on a real budget.
May 31, 2026·9 min read

Beyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy

The 3-2-1 rule was the gold standard for decades. Modern ransomware exposed its weakness. Here is why healthcare practices need to move to 3-2-1-1-0 — and how to know your backups will actually work when everything goes wrong.
May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.