Microsoft warns of a new scam that gains access without your password

Just when you think you’ve got all bases covered with you cyber security, along comes a new threat that makes you rethink things. Well, this is one of those moments. Microsoft has warned that there is a new scam targeting businesses. It’s known as device code phishing, and the scary part, cyber criminals don’t even need your password. Microsoft says they are seeing an increase in these types of attacks and believe more businesses will be targeted as it becomes more popular. You’ve probably heard about phishing scams in the past, where cyber criminals trick people into giving away their login credentials. But this one’s a little bit different. With this attack, scammers use a much smarter approach. Instead of tricking you into giving them your password, they get you to voluntarily give them full access of your account. And it’s done via authentic Microsoft login pages, making it difficult to spot. It tends to start with a convincing email. It may look like an email from an internal department or a colleague which requests that you join a Teams meeting. The link provided then directs you to a real Microsoft login page. So far, everything seems to check out. You’re then asked to enter a ‘device code’, provided in the initial email, to finish logging in and join the meeting. Here’s the thing: When you enter the code, you’re not logging yourself in, but logging the scammer into your account. With this scam, you’re giving the attacker full access to your Microsoft account on their device. And, since it uses proper Microsoft login pages, they can potentially bypass multi-factor authentication (MFA) too. Even though you have the correct security measures in place, they may still get in. Once they have access, they can cause significant damage. Such as, read through confidential emails and documents or use your account to trick colleagues and clients. What makes it so tricky, is that it doesn’t look suspicious. It’s not trying to direct you to some phishing page to enter your details. Instead, it uses real Microsoft login pages. So, security tools don’t always pick it up. And, once they’ve captured your session token, they can stay logged in. Even changing the account password won’t necessarily kick them out straight away. So, how do you protect your business from this new threat? It all starts with awareness of this new threat. Advise staff to be sceptical about login requests. Especially if that request involves entering codes. The key thing to remember is, Microsoft logins don’t require codes from someone else. If it happens, it’s a red flag. If you get a device code, ask yourself; did I request this? If you’re unsure, don’t proceed, and follow up with the person who sent the email, directly. Phone them or use the internal company messaging service to double check authenticity. If the activity is deemed to be malicious, revert to company policy on cyber threats and report it to the IT team to investigate further. Your IT team (or IT provider) can also make some changes to further secure against this threat. They can turn off device code logins if not needed in daily operations, and limit logins to specific devices and locations. And finally, we come back, full circle to training. Awareness of current threats is an ongoing effort and is essential in keeping the organisation secure. People are far less likely to be tricked if they are aware and know what to look for. If it’s time to rethink your security, get in touch.