Just when you think your cyber security is sorted – BAM! Something new crops up that puts your business at risk.
This time, it’s a sophisticated phishing attack that doesn’t require your password. That’s right: cyber criminals can gain access to your Microsoft account even if you never share your login credentials.
Microsoft has raised the alarm about a growing threat known as device code phishing – a tactic that’s increasingly being used to target unsuspecting businesses across the UK and beyond.
What Is Device Code Phishing and Why Is It So Dangerous?
Unlike traditional phishing scams that rely on tricking users into entering usernames and passwords on fake websites, device code phishing takes a smarter – and more convincing – approach.
Attackers use genuine Microsoft login pages to trick you into granting them access. That’s what makes this scam so dangerous: everything appears legitimate.
Here’s how it usually works:
- You receive an email that looks like it’s from a colleague, manager, or even HR.
- It might invite you to a Microsoft Teams meeting or prompt you to log in for an urgent task.
- You’re directed to a real Microsoft login page – no red flags there.
- You’re then asked to enter a short “device code” provided in the email.
What you don’t realise is that by entering that code, you’re actually logging the attacker into your Microsoft account – on their device.
How Attackers Bypass MFA and Stay Hidden
This phishing method is particularly troubling because it can bypass multi-factor authentication (MFA). Even if your business has MFA in place (and it should), the attacker may still gain access because the login process looks legitimate and goes through Microsoft’s official systems.
Once inside, the attacker can:
- Read and send emails
- Access sensitive files and shared folders
- Impersonate you to deceive colleagues or clients
- Move laterally through your organisation’s systems
Even more worrying: they can often maintain access using session tokens, which means that changing your password won’t immediately log them out.
Why Traditional Security Tools May Not Spot It
Device code phishing is difficult to detect because it doesn’t involve suspicious links or dodgy websites. Everything seems above board:
- A genuine Microsoft URL
- No request for a password
- No obvious phishing indicators
And because the attack doesn’t involve installing malware or stealing passwords, traditional security software may not flag it.
How to Protect Your Business from Device Code Phishing
Fortunately, there are steps you can take right now to reduce your risk and protect your business.
1. Educate Your Team
Awareness is your first line of defence. Teach your employees to be extra cautious when:
- They’re asked to enter any kind of access code
- They receive unexpected login prompts or meeting invitations
- The request appears time-sensitive or urgent
If something feels off, it probably is. Encourage your team to verify any unusual login requests directly with the sender using a separate communication channel – like a phone call or internal messaging system.
2. Remember: Real Microsoft Logins Don’t Involve Third-Party Codes
Microsoft will never send you a login code via email from someone else. If you’re asked to enter a device code that someone else has supplied, it’s a red flag.
3. Review and Restrict Device Code Authentication
From a technical standpoint, your IT provider or internal IT team should:
- Disable device code authentication if it’s not needed in your daily operations
- Limit logins to trusted devices and locations using conditional access policies
- Monitor user activity for unusual login patterns
4. Conduct Ongoing Cyber Security Training
Cyber threats evolve constantly. Regular staff training and simulated phishing tests can help build a culture of awareness and reduce the risk of human error.
Need Help Strengthening Your Cyber Security?
Device code phishing is just the latest in a long line of cyber threats facing businesses today – but with the right support, it doesn’t have to put your organisation at risk.
We help businesses across the UK build smarter, stronger defences against modern cyber attacks. From staff training to advanced threat detection, we’ve got you covered.
Ready to tighten up your cyber security? Get in touch with our team today.
