Just when you finally feel your cyber-defences are locked down, a fresh threat appears out of nowhere.
Right now that threat is device-code phishing – a sneaky scam Microsoft has started warning about, and it’s already ensnaring businesses like yours.
Why it’s worse than the usual phishing email
Traditional phishing aims to steal your username and password via a fake site. Device-code phishing takes a smarter route: it convinces you to open the door. Attackers send a convincing email – perhaps posing as HR or a co-worker inviting you to a Teams meeting. The link really does lead to a genuine Microsoft sign-in page, so nothing looks suspicious.
You’re then asked to type a short “device code” supplied in the email. Enter it, and – bam – you’ve just granted the attacker access to your Microsoft account on their own device. Because the sign-in uses Microsoft’s legitimate flow, it can even slip past multi-factor authentication (MFA).
What can happen next
Once inside, criminals can:
- Read mail and download files
- Impersonate you to colleagues, suppliers, or customers
- Install persistence so they remain logged in even after you change your password (thanks to captured session tokens)
Spotting – and stopping – the scam
- Pause before entering any code. Ask yourself: Did I request this? Legitimate Microsoft logins never involve someone else emailing you a code to type in.
- Verify out-of-band. If you’re unsure, phone or message the sender through a known channel to confirm.
- Disable device-code auth if you don’t need it. Your IT team can switch it off and enforce rules that only allow sign-ins from trusted devices or locations.
- Keep educating your people. The best defense is an informed team that recognises red flags before clicking.
Need help shoring up your defenses? Let’s talk.
