Microsoft: Criminals Can Access Your Accounts Without a Password
Just when you think your cyber security is airtight, a new threat emerges that changes the game. That’s exactly what’s happening now — and it’s a serious risk for South African businesses.
A sophisticated scam is making the rounds, targeting companies like yours. What makes it so dangerous? Hackers don’t even need your password to get in.
It’s called device code phishing, and Microsoft recently raised the alarm as these attacks are on the rise — and evolving fast.
Unlike traditional phishing scams that rely on fake login pages to steal your password, this method is far more deceptive. Instead of tricking you into giving away your credentials, it tricks you into giving access — using real Microsoft login screens.
Here’s how it typically plays out:
You receive an email that looks perfectly normal — maybe it’s from HR or a colleague — inviting you to join a Microsoft Teams meeting. You click the link and land on a genuine Microsoft login page. Everything looks above board.
You’re prompted to enter a short “device code” that was included in the email. It appears routine, part of the login or meeting process.
But here’s the danger: by entering that code, you’re authorising the attacker to access your Microsoft account — on their own device.
It’s alarmingly effective. Because the login uses legitimate Microsoft infrastructure, it can even bypass multi-factor authentication (MFA). That means even if you’ve set up additional security, it may not stop them.
Once inside, attackers can read emails, download files, and impersonate you to target others in your company. It’s like handing over the keys to your digital office — without ever realising it.
And it gets worse. Since the login is authentic, traditional email security tools may not flag anything unusual. Plus, if attackers manage to grab your session token — a kind of digital key that keeps you logged in — they can stay in your account even if you change your password.
So, how do you protect your business?
- Keep security training ongoing: Awareness is your best defence. When your staff understand these scams, they’re far less likely to fall for them.
- Raise staff awareness: Train your team to be extra cautious with any request that involves entering codes. Ask: Did I request this? Does it make sense?
- Verify suspicious requests: If in doubt, use a separate communication channel — such as your company chat system or a direct phone call — to confirm the request.
- Understand Microsoft login processes: Microsoft logins shouldn’t involve being sent a code by someone else. If that happens, it’s a clear warning sign.
- Get your IT team involved: If your organisation doesn’t need device code logins, have your IT provider disable them. You can also implement conditional access rules to limit sign-ins from unknown locations or devices.
Want help securing your Microsoft environment?
Chat to us at GZD — we’ll review your setup and help you strengthen your defences.