Does Boston Managed IT work with companies with 50 to 100 employees?

Yes. Boston Managed IT specializes in companies with 50 to 150 employees — the size where IT complexity outgrows break-fix support but doesn't justify a large internal IT department. We provide a dedicated IT team, structured helpdesk, Microsoft 365 management, cybersecurity, and virtual CIO services designed specifically for mid-sized businesses in Greater Boston.

What is the right size company for a managed IT provider in Boston?

Managed IT services are most valuable for companies with 25 to 200 employees. Boston Managed IT focuses on the 50 to 150 employee range — organizations large enough to have complex IT needs across multiple users, devices, and cloud systems, but without a full internal IT department. At this size, a managed IT provider delivers better coverage at lower cost than hiring in-house.

What is managed IT services?

Managed IT services means a third-party provider like Boston Managed IT proactively manages your technology infrastructure, helpdesk, cybersecurity, and cloud systems for a flat monthly fee. Instead of calling for help after something breaks, you get continuous monitoring, patching, and support that prevents problems before they cause downtime.

How much does managed IT cost for a 50 to 100 person company in Boston?

For a company with 50 to 100 employees in Greater Boston, managed IT typically costs between $100 and $250 per user per month depending on scope. Boston Managed IT uses flat per-user pricing that includes helpdesk support, 24/7 monitoring, security, Microsoft 365 management, and vendor coordination — no surprise hourly charges. A 75-person company can typically expect full managed IT coverage for a predictable monthly budget.

Does Boston Managed IT serve Newton, Cambridge, and other Greater Boston cities?

Yes. Boston Managed IT provides on-site and remote managed IT services throughout Greater Boston including Newton, Waltham, Cambridge, Brookline, Burlington, Needham, Wellesley, Natick, Framingham, and surrounding communities. Our team is based in Waltham, MA and provides same-day on-site support across the region.

What makes Boston Managed IT different from other MSPs in Boston?

Boston Managed IT is a locally owned MSP based in Waltham, MA, focused on companies with 50 to 150 employees across Greater Boston. We offer a dedicated client team, average response times under 15 minutes, transparent per-user pricing, and deep expertise in Microsoft 365, cybersecurity, and compliance. Our Google rating is 5.0 stars across 22 reviews.

May 18, 2026

Microsoft 365 Device Code Phishing: What Boston SMBs Need to Know in 2026

Cybersecurity

< BACK TO BLOG

Phishing is getting smarter in 2026, and one tactic Boston-area businesses should pay attention to is device code phishing. This attack goes after Microsoft 365 identities and can fool users even when MFA is enabled.

For SMBs across Boston and Massachusetts, that matters. A single compromised Microsoft 365 account can expose email, Teams chats, SharePoint files, and internal contacts in a hurry.

What is device code phishing?

Device code phishing abuses a legitimate Microsoft authentication flow meant for devices with limited input, such as TVs or conference room hardware. Normally, a user sees a short code and enters it on a Microsoft sign-in page from another device.

In a phishing scenario, the attacker starts that process first and tricks the victim into entering the code. The user is often taken to a real Microsoft login page, which makes the request feel legitimate.

That is why this tactic is effective: it does not always look like a fake login page or a classic password theft attempt.

Why this is a bigger deal in 2026

This is not just a niche technique anymore. Microsoft reported on April 6, 2026 that it observed a widespread AI-enabled campaign abusing the device code flow to compromise organizational accounts at scale. Proofpoint reported on May 13, 2026 that it saw several device code phishing variants during a short window in April 2026. Microsoft also noted on April 30, 2026 that device code phishing was showing up as an emerging email threat technique.

In plain English: attackers are testing and scaling this now.

Why MFA alone is not enough

Device code phishing takes advantage of user trust. The victim may sign in on a legitimate Microsoft page and complete MFA successfully, but they are actually approving access to a session the attacker initiated.

That creates a few problems:

– The login page may be real
– The MFA prompt may be real
– The user may think they did everything right
– The attacker can still gain access to Microsoft 365 data

For a small business running on Outlook, Teams, OneDrive, and SharePoint, that can turn into a business disruption fast.

Warning signs your team should know

Train employees to slow down when they see:

– Unsolicited requests to enter a Microsoft verification code
– Email or chat messages tied to urgent file shares, voicemail alerts, or meeting issues
– Sign-in prompts that do not match what the user was doing
– Requests to approve a device or app they did not start
– Repeated MFA prompts after a normal login already happened

If the reaction is, “It is a Microsoft page, so it must be safe,” that is exactly the mindset attackers want.

What Boston SMBs should do now

You do not need a giant enterprise budget to reduce risk, but you do need a tighter identity playbook.

### 1. Update security awareness training
Teach users that a real Microsoft sign-in page can still be part of a phishing attack if the process was attacker-initiated.

### 2. Review Microsoft 365 identity controls
Take a fresh look at Conditional Access, risky sign-in alerts, token monitoring, app consent, and other authentication policies.

### 3. Protect high-value accounts first
Executives, finance, HR, and admins should have stricter monitoring and stronger sign-in controls than standard users.

### 4. Make reporting easy
If staff can report suspicious prompts quickly, your team has a better chance of stopping an incident before it spreads.

### 5. Watch for unusual account behavior
Impossible travel, odd sign-in locations, strange mailbox activity, and unexpected application access should all trigger review.

Why outsourced monitoring helps

Most SMBs do not have someone watching Microsoft 365 identity activity all day. That is where a managed IT partner can help by reviewing policies, monitoring suspicious sign-ins, and responding faster when something looks off.

For Massachusetts businesses, speed matters. The sooner suspicious access is caught, the smaller the mess.

Final takeaway

Device code phishing is another reminder that modern attacks are targeting user trust as much as technology. If your company uses Microsoft 365, this belongs on your radar now.

Boston Managed IT helps SMBs across Boston and Massachusetts harden Microsoft 365, improve phishing resilience, and respond faster to suspicious sign-in activity. If you want a practical review of your Microsoft 365 security posture, let’s talk.

About the Author

Nicholas Salem

As the CEO of BMIT, a leading managed IT services company, Nick Salem is responsible for providing strategic leadership and direction to the organization. With over 15 years of experience in the IT industry, Nick has a strong track record of driving business growth and improving operational efficiency through the use of technology.

Your IT Partner Is Just a Click Away. Are you ready to stop thinking about IT?

We handle the infrastructure, helpdesk, and security — Boston businesses rely on us so they never have to think about IT again.

Book a consultation