In 2026, the phishing emails targeting your employees are no longer written by human attackers working from a script. They are generated by AI, personalized to your organization, and built to defeat the exact security tools most Central Texas businesses rely on. The threat is real, it is here now, and most business owners haven’t been told how different it looks from anything they’ve seen before.
Microsoft documented one of these campaigns this month, and the numbers are staggering: 10 to 15 separate AI-powered phishing campaigns running simultaneously every single day, with hundreds of Microsoft 365 accounts compromised across the country.
What Is at Stake
The specific attack Microsoft tracked in April 2026 is called device code phishing. The attacker sends your employee a message that appears to come from a trusted source, a vendor, a colleague, a software platform they use. The message asks them to authenticate using a device code, which is a legitimate Microsoft feature designed for devices that can’t display a browser.
The employee enters the code. They see a standard Microsoft login screen. They complete the sign-in. And at that moment, the attacker captures their session token, a piece of data that lets them access the account as if they were that employee, without needing a password and without triggering a standard MFA challenge. The employee never knows anything happened.
The financial and operational consequences of a compromised Microsoft 365 account are serious. An attacker with access to an executive’s email can initiate wire transfers, redirect vendor payments, or access months of confidential correspondence before anyone notices. For the professional services firms, healthcare organizations, and nonprofits that make up much of our client base in Central Texas, a single compromised account can mean weeks of cleanup, regulatory reporting obligations, and irreparable damage to client trust.
For a reference on how Microsoft is documenting this threat, see Microsoft’s April 2026 security blog on AI-enabled device code phishing.
Why Central Texas Businesses Face This Challenge
Most businesses in the Austin, New Braunfels, and San Marcos area are running Microsoft 365 with default or near-default security configurations. When Microsoft 365 is set up by a general IT vendor or rolled out without a dedicated security review, device code authentication is often left open because it has legitimate uses and disabling it requires intentional configuration work.
At the same time, the AI-powered personalization of these attacks makes them far more convincing than anything employees have seen before. The phishing messages reference real projects, use familiar names, and arrive from spoofed addresses that look indistinguishable from the real thing. Employee training that was designed to spot clumsy, generic phishing emails is simply not equipped for this.
Businesses between 25 and 250 employees are disproportionately targeted because they are large enough to have valuable data and financial accounts, but typically lack the full-time security staff to monitor authentication logs or respond to anomalies in real time. One compromised account in a business without active monitoring can go undetected for weeks.
How CTTS Helps Austin Businesses Defend Against AI-Powered Threats
As one of the cybersecurity companies Austin businesses have relied on for years, CTTS approaches AI security threats the same way we approach every risk: with a practical plan tied to your actual environment, not a generic policy document.
The first step is a Microsoft 365 security audit. We review your tenant configuration, identify open authentication pathways like device code flows, and map out which users have permissions that exceed what their role actually requires. Overpermissioned accounts are one of the most common ways a single compromised login becomes a catastrophic breach. Our Cybersecurity Services team handles this review and delivers a plain-language report with specific, prioritized actions.
From there, we implement Conditional Access policies that restrict where and how users can authenticate. These policies can block device code authentication entirely for standard users while keeping it available for the specific use cases that legitimately require it. We also configure sign-in risk detection so that unusual authentication attempts trigger alerts and step-up verification rather than silently succeeding.
Ongoing monitoring is the third piece. Microsoft 365 generates sign-in logs that contain early warning signals for credential theft, but reading those logs requires both the technical knowledge to interpret them and the time to review them consistently. Our team does this as part of our managed services engagement, so threats get caught before they become incidents.
Best Practices for AI Security in 2026
Audit Your Microsoft 365 Tenant Configuration
The single most important step a Central Texas business can take right now is a review of their Microsoft 365 tenant’s authentication settings. This means specifically looking at whether device code authentication is open to all users, whether legacy authentication protocols are still enabled, and whether there are user accounts with admin-level permissions that are not actively monitored.
Many businesses that have been running Microsoft 365 for several years have never had a formal configuration review. The default settings that were acceptable five years ago create significant exposure today. A review does not have to be complex, it takes a few hours and surfaces the specific gaps that need to be closed.
Implement Conditional Access Policies
Conditional Access is a Microsoft 365 feature that allows you to define rules about when and how users can authenticate. You can require stronger verification when someone logs in from an unfamiliar device or location, block sign-ins from countries where you have no business activity, and restrict device code authentication to only the specific accounts that legitimately need it.
Most businesses with Microsoft 365 Business Premium or above already have access to Conditional Access and simply haven’t configured it. Getting these policies in place is one of the highest-ROI security steps available, and it directly addresses the AI phishing attacks documented this month.
Update Your Employee Security Training
Traditional phishing training teaches employees to look for bad grammar, suspicious links, and unfamiliar senders. AI-generated phishing messages pass all of those tests. The training needs to evolve to focus on process rather than content: never complete an unexpected authentication request without calling the person who supposedly sent it, and never enter a device code that arrived in an unsolicited message.
Short, scenario-based training works better than annual compliance modules. A 15-minute session showing employees what these AI-crafted messages look like, using real examples from recent attacks, is more effective than a lengthy policy document they read once and forget.
Monitor Sign-In Logs Proactively
Microsoft 365 logs every authentication attempt, including the device, location, IP address, and risk level. When a device code phishing attack succeeds, the sign-in logs show the attacker authenticating from an unusual location seconds or minutes after the legitimate user completed the flow. Without active monitoring, this signal goes unnoticed.
Businesses that review sign-in logs weekly catch compromises early. Businesses that review them monthly catch them after significant damage has been done. The goal is not to eliminate every authentication anomaly — there are legitimate reasons for some unusual sign-ins, but to have a process in place that flags the high-risk patterns and triggers a response.
Understand Your AI Governance Posture
Texas’s Responsible AI Governance Act took effect in January 2026, and while most of its compliance burden falls on larger enterprises, it signals a direction that businesses of all sizes should pay attention to. If your employees are using AI tools, whether that is Microsoft Copilot, ChatGPT, or other platforms, you need a clear policy about what data those tools can access and what they cannot.
The AI security gap is not just about attackers using AI against you. It is also about your own employees unintentionally feeding sensitive business data into AI tools that store and process that data on external servers. A simple AI use policy, reviewed and acknowledged by your team, reduces this risk substantially.
Take the Next Step
If your Microsoft 365 environment has not had a security review in the past 12 months, it almost certainly has configuration gaps that leave you exposed to the attacks being deployed right now. CTTS offers a free strategy session where we walk through your current setup, identify the specific risks in your tenant, and give you a clear, prioritized plan to close them.
Schedule a free strategy session with CTTS at CTTSonline.com.
Frequently Asked Questions
What is device code phishing and why is it dangerous for businesses?
Device code phishing is an attack technique that exploits a legitimate Microsoft authentication flow originally designed for devices that can’t display a full browser, like smart TVs or printers. An attacker sends a target a message containing a device code and asks them to enter it at a Microsoft authentication page. When the target completes the process, the attacker captures their session token, which grants full access to the target’s Microsoft 365 account.
The reason it is so dangerous is that it does not require the victim’s password and typically bypasses standard multi-factor authentication, because the legitimate Microsoft flow itself is what the attacker hijacks. Microsoft documented a sharp increase in these attacks in April 2026, with AI being used to craft highly personalized lures that are difficult to distinguish from legitimate messages.
Does MFA protect my business against these AI-powered phishing attacks?
Standard MFA does not fully protect against device code phishing, which is what makes this attack category particularly concerning. When a user enters a device code at the real Microsoft authentication site, the MFA challenge is completed as part of the legitimate flow, and the attacker captures the resulting session token before any protection can intervene. More advanced protections, such as phishing-resistant MFA methods like FIDO2 security keys or Microsoft Authenticator with number matching, do provide stronger protection.
Conditional Access policies that block device code authentication for standard users are the most direct defense. This is one of the reasons CTTS recommends a Microsoft 365 security configuration review for any business that has not had one in the past year.
How do I know if my Microsoft 365 account has been compromised?
The most reliable way to check for a compromise is through the Microsoft 365 admin center sign-in logs, which record every authentication event including the device, location, IP address, and risk score. Signs of compromise include sign-ins from unusual locations or IP addresses, especially shortly after a legitimate sign-in from a different location, as well as new mail forwarding rules, changes to authentication methods, or unexpected OAuth application permissions added to an account.
If you suspect your account has been compromised, the first steps are to revoke all active sessions, reset the account credentials, review and remove any new forwarding rules or OAuth permissions, and examine sent mail for evidence of unauthorized activity. CTTS can assist businesses in Georgetown, Bastrop, and across Central Texas with both the initial forensic review and the remediation steps that follow a confirmed compromise.
Contact CTTS today for IT support and managed services in Austin, TX. Let us handle your IT so you can focus on growing your business. Visit CTTSonline.com or call us at (512) 388-5559 to get started!