Blog

Picture of a computer with Criminals don't need passwords

Criminals Can Now Access Your Account Without Your Password

IT Services| Cybersecurity
July 11, 20252 min read

Just when you think you’ve done everything right with cybersecurity—multi-factor authentication? Check. Strong passwords? Check.—a new threat pops up that makes you question everything.

Here’s what we’re seeing now:

🔓 Cybercriminals can get into your Microsoft account…
without ever knowing your password.

It’s called device code phishing, and Microsoft is sounding the alarm because these attacks are growing fast.

And yes, it’s affecting small firms—accounting, legal, medical—businesses like yours that rely on Microsoft tools every day.

What is Device Code Phishing?

Unlike traditional phishing that tries to trick you into typing your login info into a fake site, this scam uses real Microsoft login pages. That’s what makes it so convincing—and dangerous.

Here’s how it works:

  1. You get an email that looks legit. Maybe from “HR” or a colleague.

  2. It invites you to something familiar—like a Microsoft Teams meeting.

  3. The link takes you to a real Microsoft login screen.

  4. You're asked to enter a short “device code.”

Seems harmless, right?

But that code? It’s not for you.

✅ By entering it, you’re logging the criminal into your account on their device.
And because it’s a real Microsoft flow, it can bypass MFA in some cases.

That means:

  • They don’t need your password.

  • They can read your emails, access your files, and impersonate you.

  • They can stick around, even if you change your password.

It’s like unknowingly handing someone your office key—and they never left a trace.

Why This Matters to SMBs

This isn’t just a big-business problem. Small and midsize firms are prime targets because:

  • You use cloud tools like Microsoft 365 every day

  • You handle sensitive client data

  • You may not have a full-time IT security team watching every login

And attackers know it.

What You Can Do

Here’s what we recommend to every client:

🚫 Don’t enter a “device code” unless you requested it.

If someone sends you a code to type in, stop right there.
Even if the login page looks 100% real, it’s not how Microsoft usually works.

📞 Confirm through another method.

Call, text, or Teams message the sender. If they really sent it, they’ll confirm.
If not, you just dodged a major breach.

🛡 Disable device code authentication if you don’t need it.

Your IT provider (like us) can turn this feature off completely if your business doesn’t rely on it. That’s one less door for attackers to walk through.

📚 Keep training your team.

The more your people understand what these scams look like, the better your defense.

Your team is your first line of defense—and we’re here to back them up with smart tools, real-time monitoring, and strategies that match how your business actually works.

🔐 Need help tightening up your Microsoft 365 security?
Let’s talk. No jargon. No pressure. Just a smarter way to protect your business.

#Microsoft365#BigWaterTech#KeepITSimple
John Lowery is the CEO of BigWater Technologies, where he leads with a passion for innovation and excellence in delivering advanced IT solutions. With over two decades of experience in the tech industry, John specializes in strategic planning, operational efficiency, and driving customer success.

John Lowery

John Lowery is the CEO of BigWater Technologies, where he leads with a passion for innovation and excellence in delivering advanced IT solutions. With over two decades of experience in the tech industry, John specializes in strategic planning, operational efficiency, and driving customer success.

Back to Blog

Ready For A No-Nonsense Approach To IT?

  1. Hire us to set your IT strategy up for sustainable success.

  2. Learn about our proven No-Nonsense approach.

  3. Get an IT roadmap designed specifically for you.

  4. Fearlessly grow your business.

Get in Touch with us!

Call us at (248) 220-7714 or or fill out the form below.

Featured Posts

Picture of a computer with Criminals don't need passwords

Criminals Can Now Access Your Account Without Your Password

IT Services| Cybersecurity
July 11, 20252 min read

Just when you think you’ve done everything right with cybersecurity—multi-factor authentication? Check. Strong passwords? Check.—a new threat pops up that makes you question everything.

Here’s what we’re seeing now:

🔓 Cybercriminals can get into your Microsoft account…
without ever knowing your password.

It’s called device code phishing, and Microsoft is sounding the alarm because these attacks are growing fast.

And yes, it’s affecting small firms—accounting, legal, medical—businesses like yours that rely on Microsoft tools every day.

What is Device Code Phishing?

Unlike traditional phishing that tries to trick you into typing your login info into a fake site, this scam uses real Microsoft login pages. That’s what makes it so convincing—and dangerous.

Here’s how it works:

  1. You get an email that looks legit. Maybe from “HR” or a colleague.

  2. It invites you to something familiar—like a Microsoft Teams meeting.

  3. The link takes you to a real Microsoft login screen.

  4. You're asked to enter a short “device code.”

Seems harmless, right?

But that code? It’s not for you.

✅ By entering it, you’re logging the criminal into your account on their device.
And because it’s a real Microsoft flow, it can bypass MFA in some cases.

That means:

  • They don’t need your password.

  • They can read your emails, access your files, and impersonate you.

  • They can stick around, even if you change your password.

It’s like unknowingly handing someone your office key—and they never left a trace.

Why This Matters to SMBs

This isn’t just a big-business problem. Small and midsize firms are prime targets because:

  • You use cloud tools like Microsoft 365 every day

  • You handle sensitive client data

  • You may not have a full-time IT security team watching every login

And attackers know it.

What You Can Do

Here’s what we recommend to every client:

🚫 Don’t enter a “device code” unless you requested it.

If someone sends you a code to type in, stop right there.
Even if the login page looks 100% real, it’s not how Microsoft usually works.

📞 Confirm through another method.

Call, text, or Teams message the sender. If they really sent it, they’ll confirm.
If not, you just dodged a major breach.

🛡 Disable device code authentication if you don’t need it.

Your IT provider (like us) can turn this feature off completely if your business doesn’t rely on it. That’s one less door for attackers to walk through.

📚 Keep training your team.

The more your people understand what these scams look like, the better your defense.

Your team is your first line of defense—and we’re here to back them up with smart tools, real-time monitoring, and strategies that match how your business actually works.

🔐 Need help tightening up your Microsoft 365 security?
Let’s talk. No jargon. No pressure. Just a smarter way to protect your business.

#Microsoft365#BigWaterTech#KeepITSimple
John Lowery is the CEO of BigWater Technologies, where he leads with a passion for innovation and excellence in delivering advanced IT solutions. With over two decades of experience in the tech industry, John specializes in strategic planning, operational efficiency, and driving customer success.

John Lowery

John Lowery is the CEO of BigWater Technologies, where he leads with a passion for innovation and excellence in delivering advanced IT solutions. With over two decades of experience in the tech industry, John specializes in strategic planning, operational efficiency, and driving customer success.

Back to Blog

Enroll in Our Email Course

Learn How a No-Nonsense IT Strategy Benefits Your ComBullet listpany:

  • Strategies to allocate your IT budget efficiently

  • Enhance cybersecurity defenses on a bButtonudget

  • Ensure your technology investments continue to serve your business as it grows