top of page
Search

Microsoft Warning: Hackers Can Get Into Your Account Without Your Password

Just when you think your cybersecurity is solid—bam!—something new shows up to cause problems.


Right now, there’s a new scam going around, and it’s tricking a lot of businesses like yours.


The scariest part? Hackers don’t even need your password.


This scam is called device code phishing. It’s sneaky, and it's becoming more common. Microsoft recently warned people about it, and we’ll likely see even more of it soon.


This scam is different from the usual ones where you're tricked into typing your password into a fake website.


Instead, hackers get you to give them access to your account yourself. And they do it through real Microsoft login pages, so it all looks normal.


It usually starts with an email that looks like it’s from your HR department or a coworker. The email says something like “Join this Microsoft Teams meeting.” You click the link and land on a real Microsoft sign-in screen.


Nothing seems wrong.


Then you’re asked to type in a short “device code.” The email gives you the code and says it’s needed to join the meeting or finish logging in.


Here’s the trick: By entering that code, you’re not logging yourself in—you’re logging them in.


That gives the hacker full access to your Microsoft account on their device. And since the login goes through real Microsoft systems, it can even get around things like two-factor authentication (MFA).


Once they’re in, they can read your emails, steal your files, or pretend to be you and trick other people at your company.


It’s dangerous because everything looks normal. You’re on a real Microsoft page, you didn’t click a shady link, and you didn’t give away your password. But you still gave them access.


And here’s the kicker: even changing your password might not kick them out. If they grab something called a “session token” (which keeps you logged in), they can stay in your account.


So how do you stay safe?

  1. Be careful with login requests, especially ones asking you to enter a code. Ask yourself—did I ask for this? Do I trust who sent it?

  2. If you’re unsure, stop. Contact the person another way (like by phone or a chat app) to confirm it’s real.

  3. Remember: Real Microsoft logins won’t ask you to enter a code someone else gave you. That’s a red flag.

  4. Ask your IT team to turn off device code logins if you don’t need them.

  5. Keep training your team so everyone knows what to watch out for.


Want help locking down your security? Let us know—we’re here to help.

 
 
 

Comments

PEACE OF MIND

Wyant Technologies has been a trusted partner of Easling Construction Co. for well over a decade.  From complex services like server installation and network configuration to simple questions about email passwords, every situation we have presented them with has been handled with urgency and care.  Knowing that someone from Wyant will be available any time we need them has given me such peace of mind.  I am thankful to have the hardworking folks at Wyant on our team! 

Julie Meade

Easling Construction Co.

CompTIA ISAO member badge

Wyant Technologies

1129 Woodmere Ave, Unit K1
Traverse City, MI 49686

231-946-5969

help@gowyant.com

CompTIA logo
3CX Silver Partner badge

© 2023 Wyant Inc.

Cybersecurity Services for Michigan

IT Services for Michigan

Computer Support and Service

Compliancy Group HIPAA Certified badge
  • Facebook
  • LinkedIn
  • Youtube
bottom of page