Microsoft: Criminals can access your accounts without your password

Ever feel like just when you've got your cyber security sorted, something new pops up to complicate things?

That's exactly what's happening now.

A new scam is circulating, and it's catching businesses like yours off guard.

The worst part?

Cyber criminals don't even need your password.

It's alarming...

This scam is known as device code phishing. It's a clever tactic that's gaining traction. Microsoft recently highlighted a surge in these attacks, and we're likely to see more.

This differs from the usual phishing scams you might know about. Typically, phishing involves tricking people into revealing their usernames and passwords on fake websites.

But with device code phishing, scammers have a smarter approach.

Instead of stealing your password, they get you to willingly give them access to your account by using genuine Microsoft login pages, making it appear completely legitimate.

It often starts with a convincing email, perhaps looking like it's from your HR department or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen.

Everything seems normal.

You're asked to enter a code, a short one called a "device code," provided in the email, supposedly needed to join the meeting or complete the login.

Here's the twist: By entering that code, you're not logging yourself in... you're logging them in.

You're unknowingly giving the attacker access to your Microsoft account on their device. And because the login happens through legitimate channels, it can even bypass multi-factor authentication (MFA).

Yes, even with extra security in place, they might still get access.

Once they're in, they can cause significant harm. Reading your emails, accessing your files, even using your account to deceive others in your company. It's like handing over the keys to your office without realizing it.

It's dangerous because it doesn't appear suspicious. You're on a real Microsoft site, not a dubious fake. You didn't click a strange link or enter your password into a phishing form. Everything seems legitimate... but it's not.

And since attackers use legitimate Microsoft login processes, traditional security tools don't always detect it.

Moreover, once they're in, they can remain in. They don't need to keep logging in if they've captured your session token (a kind of digital "pass" that keeps you logged in). So even changing your password might not immediately lock them out.

The big question: How can you protect your business?

Start by encouraging your team to be extra cautious with login requests, especially those involving entering codes. If you receive a device code from someone, pause and consider: Did I request this? Am I sure it's genuine?

If you're uncertain, don't proceed. Use a different method, like a direct phone call or your company's messaging system, to verify with the person who sent the email.

Remember, real Microsoft logins don't involve someone else providing you with a code to enter. If that happens, it's a warning sign.

From a technical standpoint, your IT team (or IT provider) can also enhance security. If your business doesn't require device code login for daily operations, it's best to disable it entirely. They can also implement additional security measures that only permit logins from trusted locations or devices.

Finally, continue educating your team. Effective cyber security relies on awareness. If your team knows what to watch for, they're much less likely to fall for these tactics.

Need help strengthening your security? Get in touch.