Criminals Can Access Your Accounts Without Your Password

There’s a new scam doing the rounds. And it’s catching out businesses just like yours!

Cyber security is a constantly evolving battlefield. Just as you think your systems are airtight, cyber criminals devise clever new ways to sneak in. At this very moment, a new scam called device code phishing is targeting businesses, and it’s catching many organisations off guard. The worst part? Criminals can access your accounts without your password. Scary, isn’t it?

Microsoft has recently flagged a significant wave of these attacks, and there's every reason to believe they’ll continue to rise. Understanding this scam and how to protect your business is crucial — whether you manage your own IT or rely on professional IT support.

What Is Device Code Phishing?

Traditional phishing scams rely on tricking victims into entering their usernames and passwords on fake, deceptive websites. Device code phishing is different and more sophisticated. Instead of stealing your password, scammers invite you to voluntarily grant them access to your account — and they do it using genuine Microsoft login pages, making everything look legitimate.

It usually begins with a convincing email, often masquerading as a message from HR or a colleague inviting you to a Microsoft Teams meeting. When you click the link, you are taken to a real Microsoft login screen, where you are asked to enter a short “device code” — a code supplied in the email you received. You're told this code is necessary to join the meeting or complete the login, so it feels entirely routine and safe.

The catch? When you enter that device code, you aren’t logging yourself in. You’re actually logging the attacker into your Microsoft account on their device. Because the login flow is legitimate, even multi-factor authentication (MFA) can be bypassed, meaning criminals can access your accounts without your password and even circumvent additional security layers.

Why Is Device Code Phishing Such a Threat?

Once attackers gain access, they have the keys to your digital kingdom. They can:

  • Read emails and sensitive communications
  • Access and steal files
  • Use your account to impersonate you and target others within your organisation

This scam is particularly dangerous because everything looks normal. You are interacting with a real, trusted Microsoft login screen, not a fake imposter site. No suspicious URLs, no fake forms — just an everyday login request that deceives even vigilant users. Traditional security tools may fail to detect this unusual method because the attackers use legitimate Microsoft channels.

Moreover, attackers can maintain persistent access once inside by capturing session tokens — digital passes that keep them logged in behind the scenes. Changing your password won’t necessarily lock them out immediately, giving criminals extended access to your systems.

How Can Businesses Protect Themselves?

1. Educate Your Team About Device Code Phishing

Human error is often the weakest link in cyber security. Make sure your staff know that getting a device code to enter into a login screen is never normal unless they have specifically requested it. Encourage them to question any unexpected login requests. If unsure, don’t proceed — verify the request using a different communication channel such as a phone call or your company’s secure messaging system.

2. Review and Restrict Device Code Login Access

If your business does not require device code authentication for daily operations, consider disabling it altogether. Your IT support team can help configure these settings, reducing the attack surface and eliminating unnecessary vulnerabilities.

3. Implement Access Controls and Conditional Access Policies

Set up security rules that restrict logins to trusted locations or devices. This limits the chances of an attacker logging in from suspicious IP addresses or unfamiliar hardware.

4. Strengthen Multi-Factor Authentication and Monitor Accounts

While MFA alone isn’t foolproof against device code phishing, strong multi-factor processes combined with continuous monitoring for unusual login activity still provide valuable protection.

5. Regularly Train Your Staff in Cyber Security Awareness

Ongoing training keeps your team alert to emerging threats. Understanding scams like device code phishing is vital so your employees recognise the signs and avoid becoming victims.

Why Professional IT Support Matters

Cyber criminals are increasingly creative, and defending against sophisticated scams requires expertise. An experienced IT Support provider stays abreast of threats like device code phishing, ensuring your organisation has up-to-date defences and policies in place.

They can assist with:

  • Auditing your current security set-up
  • Configuring settings to block risky login methods
  • Educating staff through cyber security workshops
  • Providing rapid response if an attack occurs

Partnering with trusted IT support like IT Support ManchesterIT Support LiverpoolIT Support ChesterIT Support Companies Manchester gives your business a stronger line of defence against today's advanced scams.

Cyber security isn’t just about passwords anymore. The rise of device code phishing is a stark reminder that criminals can access your accounts without your password, using clever tricks that bypass many traditional defences.

The good news is this threat is manageable with awareness, vigilance, and the right technical measures. Start by informing your team about the dangers of unsolicited device codes, review your login policies, and engage expert IT support to harden your defences.

If you want to tighten up your security and protect your business from evolving cyber threats like device code phishing, don’t hesitate to get in touch. Staying ahead is a team effort — with the right knowledge and support, you can keep your organisation secure in an ever-changing digital world.




Contact Blowfish Technology