Microsoft: Criminals can access your accounts without your password • Blisstech Solutions

Have you ever felt like just when you’ve nailed your cybersecurity – BAM! – something new comes along to throw a spanner in the works?

That’s exactly what’s happening right now.

There’s a new scam doing the rounds. And it’s catching out businesses just like yours.

The worst part?

Cyber criminals don’t even need your password.

Scary…

It’s called device code phishing. It’s a clever trick that’s becoming more and more popular. Microsoft recently flagged a wave of these attacks, and we’re likely to see many more.

This one’s different to the usual phishing scams you’ve probably heard about. Normally, phishing is all about tricking people into giving away their usernames and passwords on fake websites.

But with device code phishing, scammers play a smarter game.

Instead of stealing your password, they get you to voluntarily give them access to your account. And they do it using real Microsoft login pages, so it looks totally legit.

It usually starts with a convincing email. Maybe it looks like it’s from your HR person, or a colleague, inviting you to a Microsoft Teams meeting. You click the link, and it takes you to a real Microsoft login screen.

Nothing seems out of place.

You’re asked to enter a code. Just a short one, called a “device code.” This code is supplied in the email, and you’re told it’s needed to join the meeting or finish logging in.

Here’s the catch: By entering that code, you’re not logging yourself in… you’re logging them in.

You’re unknowingly giving the attacker access to your Microsoft account on their device. And because the login goes through the proper channels, it can even bypass multi-factor authentication (MFA).

Yep, even if you’ve got extra security in place, they might still get in.

Once they’re in, they can do a lot of damage. Reading your emails, accessing your files, even using your account to trick others in your company. It’s like handing over the keys to your office and you don’t even realise it.

It’s dangerous because it doesn’t look suspicious. You’re on a real Microsoft site, not some suspicious fake. You didn’t click a weird link or enter your password into a phishing form. Everything looks above board… except it’s not.

And because attackers are using legitimate Microsoft login flows, traditional security tools don’t always catch it.

Plus, once they’re in, they can stay in. They don’t need to keep logging in if they’ve captured your session token (that’s a sort of digital “pass” that keeps you logged in behind the scenes). So even changing your password won’t necessarily kick them out right away.

A big question then: How can you protect your business?

Start by getting your team to be extra cautious with login requests. Especially ones that involve entering codes. If you get a device code from someone, stop and think: Did I request this? Do I know for sure this is real?

If you’re not sure, don’t go through with it. Use a separate method, like a direct phone call or your company’s messaging system, to double-check with the person who sent the email.

Remember, real Microsoft logins don’t involve someone else giving you a code to enter. If that ever happens, it’s a red flag.

From a technical side, your IT team (or IT provider) can also tighten things up. If your business doesn’t need device code login as part of its daily operations, it’s safest to turn it off altogether. They can also put in place extra security rules that only allow logins from trusted locations or devices and add security monitoring that will alert them to suspicious logins.

And finally, keep training your people. Good cybersecurity is about awareness. If your team knows what to look out for, they’re much less likely to fall for these kinds of tricks.

Can we help you tighten up your security? Get in touch.

More Content

A woman on a laptop with a shield and lock on the screen

7 ways to secure small business IT

It is hard enough running a business without having to worry about how to ensure your computer systems and data are secure from bad guys.  To help you out, we have put together a list of the top 7 things that you should do to secure your small business IT systems. 1....
The two big threats of doing business on public Wi-Fi

The two big threats of doing business on public Wi-Fi

Public Wi-Fi can be a lifesaver when you must send an urgent email while out of the office. But did you know it can also put your business data at risk? These are the two big threats you and your team need to be aware of…

A woman looking at her phone while working from home

Homeworking is bad for IT security

A new homeworking security report from CyberArk has surveyed 3000 remote office workers and IT professionals. It finds that increased homeworking, resulting from the 2020 pandemic, could be bad news for a company’s IT security posture. It has uncovered several...

AI is making phishing scams more dangerous

AI chatbots have taken the world by storm lately. But for all the fun they offer, criminals have been finding ways to use AI for more sinister purposes.

A laptop and tablet taking a backup

Two simple steps to protect your business data

Data is the lifeblood of most modern businesses.  From important proposals and presentations to a simple one-line email that is proof of something happening that you might need months later.  However, many small businesses are not taking the necessary steps and...

Cloud Telephony vs. VoIP – which is best for your business?

If your employees—or worse, your customers—have started to complain about your phone systems, it’s time to look at a new solution—something that works well for everyone, whether that’s making life easier for your team or giving your customers a smoother experience....

Stop! And think, before you act on that email

Don’t fall victim to cyber criminals. We explain what a BEC attack is and how to protect your business.

How to reopen a closed browser tab thumbnail

Tech Tip: How to quickly reopen a closed browser tab

Welcome to a new Tuesday tech tip video, and it's a really quick, but useful one This video shows how to quickly reopen a closed browser tab in Google Chrome or Edge. The video demonstrates a keyboard shortcut (Ctrl+Shift+T) to restore the last closed tab. I will also...

90% of cyber attacks start with a simple email. Why?

All it takes is one email... Did you know it can just take one email to bring your entire business to its knees? Why? Because a surprising 90% of cyber attacks begin with an email. And if you and your whole team are reliant on email every day, your chances of falling...

3 things you should do now to protect your business email

It's a fact, most cyber attacks start with an email.  In fact, a frightening 91% of attacks begin with someone clicking on something they shouldn't in an email they received. Here are three things you can do now to protect your business and make it harder for...
Share This
Contact
Love Lane
Cleobury Mortimer
Shropshire DY14 8PE

01299 382 321
[email protected]
Copyright © 2024 Blisstech Solution Ltd
Registered No: 08125391 VAT No : 307 5490 05