A New Scam Targeting Businesses
Have you ever felt like you’ve finally secured your cybersecurity, only to have a new threat emerge?
That’s the situation many businesses face today.
A new scam is circulating, and it’s affecting businesses like yours.
The concerning part?
Cybercriminals don’t even need your password to succeed.
This scam, known as device code phishing, is a clever trick gaining popularity. Microsoft has recently identified a surge in these attacks, and more are expected.
What Is Device Code Phishing?
How the Scam Works
This scam differs from typical phishing attempts. Usually, phishing involves tricking people into revealing their usernames and passwords on fake websites.
However, with device code phishing, scammers use a more sophisticated approach.
Instead of stealing your password, they manipulate you into granting them access to your account. They achieve this using legitimate Microsoft login pages, making it appear authentic.
The scam usually begins with a convincing email, possibly appearing to be from your HR department or a colleague, inviting you to a Microsoft Teams meeting. Clicking the link directs you to a genuine Microsoft login screen.
Everything seems normal.
You’re prompted to enter a short code, referred to as a “device code.” This code is provided in the email, with instructions that it’s required to join the meeting or complete the login process.
Here’s the deception: Entering that code doesn’t log you in; it logs the attacker in.
Unknowingly, you’re granting the attacker access to your Microsoft account on their device. Because the login process is legitimate, it can bypass multi-factor authentication (MFA).
Even with enhanced security measures, they might still gain access.
Why It’s So Dangerous
Once inside, they can cause significant damage, including reading emails, accessing files, and using your account to deceive others within your company. It’s like unknowingly handing over the keys to your office.
This scam is dangerous because it appears legitimate. You’re on a real Microsoft site, not a suspicious fake. You haven’t clicked a suspicious link or entered your password into a phishing form. Everything seems legitimate, but it’s not.
Because attackers use genuine Microsoft login procedures, traditional security tools may not always detect it.
Furthermore, once inside, they can maintain access. They don’t need to continuously log in if they’ve captured your session token, a digital “pass” that keeps you logged in. Consequently, changing your password may not immediately remove them.
How to Protect Your Business
Train Your Team to Recognize Red Flags
Begin by instructing your team to be extra cautious with login requests, especially those involving code entry. If you receive a device code from someone, pause and consider: Did I request this? Am I certain this is legitimate?
If you’re uncertain, don’t proceed. Verify the request using a separate method, such as a direct phone call or your company’s messaging system, to confirm with the sender.
Remember, legitimate Microsoft logins don’t involve someone else providing you with a code to enter. If this occurs, it’s a warning sign.
Implement Strong Technical Controls
From a technical standpoint, your IT team (or IT provider) can strengthen security measures. If your business doesn’t require device code login for daily operations, disabling it is the safest option. They can also implement additional security rules that restrict logins to trusted locations or devices.
Keep Cybersecurity Awareness Ongoing
Finally, continue training your employees. Effective cybersecurity relies on awareness. If your team is aware of potential threats, they’re less likely to fall victim to these scams.
Need Help Securing Your Microsoft Accounts?
Would you like assistance in strengthening your security? Get in Touch
