Buckle up: this one’s a little bit wild…and a lot bit bad.
A new scam has been hitting businesses across the US, even those who have been working hard to shore up their cybersecurity defenses. And when this attack works, the bad guys don’t even need to have a compromised or stolen password. The account or system under attack never even asks for one.
We know this sounds just about impossible, but unfortunately it’s a very real threat.
Here’s everything you need to know about device code phishing: what it is, why it works without a password, and what you can do to avoid becoming a victim.
What Is Device Code Phishing?
Device code phishing is a sophisticated form of phishing attack that convinces victims to give up access to their accounts. This time, instead of going after your username and password, the attack tries to convince you to input something called a device code.
Once you do, you’ve actually given them access to your account, and they can do all the same sorts of damage as a regular phishing attack — and more. Sometimes because you’ve actively granted them permission to use your account, they may get even more before they get caught.
How Device Code Phishing Works
Here’s how the scheme usually works. It all starts with an email, usually impersonating someone important. Only instead of asking you to log into your account (big red flag for phishing attacks), the email asks you to do something much less risky-sounding, like jumping onto a Microsoft Teams meeting.
If you click the link, you land on an actual Microsoft login page. Not a fake one, not even a good fake: you’re on a genuine Microsoft login page and nothing looks amiss.
To “join the meeting” (or whatever other action you’re being tricked into trying), you’re asked to enter a device code. Sure enough, you go back to the email that led you here, and there it is: your HR manager or CEO or whoever provided you with a device code to enter.
But if you enter that device code, you’re actually giving the attacker permission to use your account.
Why Does Device Code Phishing Work?
You might be thinking that this sounds a little bonkers. Why would inputting a few digits completely destroy your account security?
Well, it has to do with attackers abusing some of the new security features Microsoft and other companies have been rolling out in an effort to reduce our reliance on (less secure) passwords. One of these systems involves device codes, where you can use a separate (authenticated) device, like your phone, to generate a code that proves you’re really the person trying to log into another device (like a new computer).
Essentially the bad guys are already trying to log in as you, then generating a device code on their end. When you input their device code, it’s like you’re saying “yep, Microsoft, that’s really me, go ahead and let me in!”
Why are these attacks getting through at all? Device code phishing is different than most types of phishing attacks, bypassing several of the tell-tale signs (like fake landing pages, weird links, and forcing users to log in to sites that don’t remember their passwords). And because they function on real Microsoft login pages, not fakes, they are harder to stop using cybersecurity software.
Best Protection Methods
The best way to stay safe is to use common sense, and maybe even a little bit of suspicion. If you get an email that sounds like one of these, bypass it. Call the person who supposedly sent it. Manually open Teams (or whatever other app) and look for a meeting request. If things don’t check out, assume it’s a scam.
You may also want to turn off device codes completely if they aren’t something your business needs (at least until Microsoft finds a way to get in front of these attacks). Not sure how to do this or what the right steps are to stay safe? We can help. Reach out today.