ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471
ABOUT
WHAT OUR CLIENTS SAYEDUCATION CENTREBLOGCONTACT
MANAGED IT
MANAGED IT SUPPORT
SECURITY
PROTECT MY 365M365 MDRM365 TENANT PROTECTIONHUNTRESS MANAGED EDRCYBER ESSENTIALSCYBER AWARENESS TRAININGIRONSCALES EMAIL SECURITYSENTINELONEDNS FILTERDARK WEB MONITORING
CLOUD
HOSTED DESKTOPMICROSOFT 365WAVE TELEPHONY3CX PHONE SYSTEM
BACKUP
DATA BACKUP & DRMICROSOFT 365 BACKUPXERO BACKUPSALESFORCE BACKUPGOOGLE WORKSPACE BACKUP
0161 850 2471

Microsoft Warns: Hackers Can Access Accounts Without a Password

Michael Tunstall

July 5, 2025

Just when you think your cyber security is solid, a new threat emerges—and this one’s particularly sneaky.

Microsoft is warning businesses about a growing cyber attack trend that doesn’t rely on stealing your password. Instead, it tricks your team into handing over access without realising it. And it’s already catching many people off guard.

This tactic is known as device code phishing, and it’s proving highly effective.

What is device code phishing?

Unlike traditional phishing scams, which aim to steal your username and password via fake login pages, device code phishing takes a more subtle and dangerous approach.

The attack often starts with a legitimate-looking email—perhaps a Teams meeting invite or a request from a colleague. The link takes you to a genuine Microsoft login page, so nothing seems suspicious.

You’re then asked to enter a short “device code”—which is also provided in the email—to continue the login process.

Here’s the trick: by entering that code, you’re not logging yourself in… you’re logging the attacker into your Microsoft account on their device.

Since the process uses real Microsoft login flows, it looks entirely legitimate—and worse, it can bypass multi-factor authentication (MFA). That’s because the access is being granted through an approved method, just from a different device.

Why it’s so dangerous

Once the attacker has access to your account, they can:

  • Read and send emails as you

  • Access files in OneDrive or SharePoint

  • Target colleagues with internal phishing attempts

  • Escalate access or plant malware

To make matters worse, attackers can often retain access through session tokens—meaning even if you change your password, they may still be logged in until their session expires.

Because this type of phishing doesn’t involve fake websites or password entry, it can slip past traditional cyber defences. It’s subtle, clever, and hard to spot.

What can your business do?

The good news is there are clear steps you can take to protect your team:

  1. Raise awareness: Train employees to be cautious when asked to enter device codes—especially when the request comes via email. If it wasn’t expected, it’s likely a scam.

  2. Confirm via a second channel: Encourage staff to verify unusual requests by phone or a trusted messaging platform.

  3. Disable unused login methods: If your business doesn’t require device code login, your IT provider can disable it altogether.

  4. Implement Conditional Access: Restrict sign-ins to trusted locations, IP addresses, or managed devices.

  5. Keep security training ongoing: Awareness is the best defence. Make sure cyber awareness training is a regular part of your security strategy.

Stay ahead of the threat

Cyber attacks are evolving, and so should your defences. Even trusted tools like Microsoft 365 can be exploited if the right safeguards aren’t in place.

Want to review your Microsoft 365 security setup or implement stronger protections? We’re here to help.

Get in touch to book a security review or talk through your options.

<All Posts