Microsoft: Criminals can access your accounts without your password

Posted by

Cyber criminals are always looking for new ways to access your accounts. And now they’ve found a way that means they don’t even need your password. Beware this one…

Sorry, to show this video we need your consent to set cookies.

Allow cookies
TECH UPDATE

Think Your Cyber Security Is Locked Down? Think Again.

Just when you feel confident about your cyber security setup, a new threat emerges to shake things up.

Right now, a fresh scam is making the rounds—and it’s catching out businesses like yours. The most alarming part? Cyber criminals don’t even need your password to break in.

It’s called device code phishing, and it’s gaining traction fast. Microsoft has already flagged a surge in these attacks, and more are expected.

Unlike traditional phishing—where attackers trick you into entering your credentials on fake websites—this method is far more cunning.


How It Works

Attackers send a convincing email, often posing as someone from HR or a colleague, inviting you to a Microsoft Teams meeting. You click the link and land on a genuine Microsoft login page. Everything looks normal.

Then you’re asked to enter a short “device code” provided in the email. It seems routine.

But here’s the twist: by entering that code, you’re not logging yourself in—you’re logging the attacker into your account. And because the login uses legitimate Microsoft infrastructure, it can even bypass multi-factor authentication.

Once inside, attackers can:

  • Read your emails
  • Access sensitive files
  • Impersonate you to deceive others

It’s like handing over your office keys without realising it.


Why It’s So Dangerous

  • You’re on a real Microsoft site—not a dodgy clone.
  • You didn’t enter your password into a suspicious form.
  • Everything looks above board… but it’s not.

Even worse, traditional security tools may not detect this. And if the attacker captures your session token, changing your password won’t necessarily kick them out.


How to Stay Safe

  • Pause before entering any code: Ask yourself—did I request this? Is it from a trusted source?
  • Verify requests: Use a separate channel (like a phone call or internal messaging) to confirm legitimacy.
  • Know the signs: Real Microsoft logins don’t involve someone else giving you a code to enter.
  • Disable device code login: If your business doesn’t use it, your IT team should consider turning it off.
  • Train your team: Awareness is your best defence. The more your people know, the safer your business will be.

Need help reviewing your security setup or training your team? Let’s talk