Just when you think your cyber security is solid, something new comes along to disrupt your defences. The latest threat catching businesses off guard is a particularly sly scam called device code phishing. Unlike traditional phishing attacks that try to steal your login credentials via fake websites, this technique is far more subtle and, worryingly, harder to detect. Microsoft has raised the alarm on a surge of these attacks, and it’s clear they are becoming more widespread.
Rather than attempting to steal your password, cyber criminals are now tricking people into handing over access voluntarily - using genuine Microsoft login pages. A common tactic involves sending a convincing email that appears to come from someone inside your company, such as HR or a colleague, often with an invitation to a Teams meeting. The link in the email leads to a real Microsoft login page, which doesn’t raise any suspicion. Then you are asked to enter a short “device code” supposedly needed to join the meeting.
The catch is this: by entering the code, you are not logging yourself in - you are logging in the attacker. This technique can even bypass multi-factor authentication, as the login process uses legitimate Microsoft systems. Once inside your account, the attacker can access sensitive emails, files, and even impersonate you to target others in your organisation. Because the login method is authentic, many security tools may not detect anything unusual. And if the attacker captures your session token, they may stay logged in even after you change your password.
To protect your business, it is vital to be cautious with any login requests involving codes. Always stop to consider whether the code was requested by you and verify it through a separate method like a phone call or internal chat. Microsoft logins should never involve entering a code sent by someone else. On the technical side, if your organisation doesn’t use device code login regularly, it’s best to disable it. Your IT team can also enforce rules to allow access only from trusted locations. And finally, regular staff training is essential - awareness is your strongest defence against these kinds of attacks.
To Find Out More Book Your Appointment Here
If you'd like to know more or want to book a no-obligation 10-minute call with our Managing Director and cybersecurity expert, Mark Cronin, click the link below:
