Microsoft: Criminals can access your accounts without your password
June 8, 2022
|
4
min read
Highlights
Cyber criminals are always looking for new ways to access your accounts. And now they’ve found a way that means they don’t even need your password. Beware this one…
Think Your Cyber Security Is Locked Down? Think Again.
Just when you feel confident about your cyber security setup, a new threat emerges to shake things up.
Right now, a fresh scam is making the rounds—and it’s catching out businesses like yours. The most alarming part? Cyber criminals don’t even need your password to break in.
It’s called device code phishing, and it’s gaining traction fast. Microsoft has already flagged a surge in these attacks, and more are expected.
Unlike traditional phishing—where attackers trick you into entering your credentials on fake websites—this method is far more cunning.
How It Works
Attackers send a convincing email, often posing as someone from HR or a colleague, inviting you to a Microsoft Teams meeting. You click the link and land on a genuine Microsoft login page. Everything looks normal.
Then you’re asked to enter a short “device code” provided in the email. It seems routine.
But here’s the twist: by entering that code, you’re not logging yourself in—you’re logging the attacker into your account. And because the login uses legitimate Microsoft infrastructure, it can even bypass multi-factor authentication.
Once inside, attackers can:
- Read your emails
- Access sensitive files
- Impersonate you to deceive others
It’s like handing over your office keys without realising it.
Why It’s So Dangerous
- You’re on a real Microsoft site—not a dodgy clone.
- You didn’t enter your password into a suspicious form.
- Everything looks above board… but it’s not.
Even worse, traditional security tools may not detect this. And if the attacker captures your session token, changing your password won’t necessarily kick them out.
How to Stay Safe
- Pause before entering any code: Ask yourself—did I request this? Is it from a trusted source?
- Verify requests: Use a separate channel (like a phone call or internal messaging) to confirm legitimacy.
- Know the signs: Real Microsoft logins don’t involve someone else giving you a code to enter.
- Disable device code login: If your business doesn’t use it, your IT team should consider turning it off.
- Train your team: Awareness is your best defence. The more your people know, the safer your business will be.
Need help reviewing your security setup or training your team? Let’s talk
Tell us about yourself so we can serve you best.
Got a question?
More articles
.png)
This special edition of our Leading London series brings together the partners behind the rollout of the City of London Corporation’s new unified network, a major upgrade designed to strengthen public services and improve connectivity across the Square Mile and beyond.
The panel included:
- Sam Collins, Assistant Director of Digital and Data, City of London Corporation
- Chelsea Chamberlin, Chief Technology Officer, Roc Technologies
- Scott McKinnon, Chief Security Officer, Palo Alto Networks
- Rhod Morgan, Chief Operations Officer, Vorboss
- Elliot Townsend, Senior Director, Juniper Networks
- Christa Elizabeth Norton, Marketing Director, Roc Technologies
Together, they explored how the new network will improve public services, strengthen cyber resilience and support a more connected, future-ready City.
For many landlords and building managers, the word “wayleave” feels like the responsible route whenever a fibre circuit is being installed on their property. It sounds formal and safe – a neat legal box to tick.
In many cases, however, a wayleave adds unnecessary complexity and delays, frustrates tenants, and can expose landlords to long-term legal risks.
At Vorboss, we’ve connected thousands of office spaces across London without a wayleave, keeping landlords in full control and getting tenants online faster.
What is a wayleave?
A wayleave is a written agreement between a landowner and a telecoms operator. It gives the operator permission to install and keep equipment on private property.
What many people don’t realise is that signing a wayleave also activates “Code rights” under the Electronic Communications Code. These rights go beyond simple permission, they give the operator legal powers to stay on the property indefinitely, access it when needed, and even refuse removal of their equipment in certain situations.
For a typical connection into a commercial building in London, a wayleave can make the fibre installation process slower, more expensive, and limit the landlord’s flexibility long term.
Why a wayleave isn’t required for standard in-building fibre connections
For a standard in-building fibre connection serving a tenant, a wayleave isn’t a legal requirement. Important protections, like building access, fire safety, repairing any damage, and removing equipment, are already covered by the tenant’s lease and usual building rules.
If no wayleave is signed, no Code rights are triggered, meaning the landlord retains full control and the installation exists under a simple, fully revocable licence.
In practice, this gives landlords far more protection and flexibility:
- No legal lock-in – the telecoms operator has no long-term rights to stay or refuse removal.
- Landlords keep full control – equipment can be moved or removed when the building changes.
- Faster fibre installation – no time lost in drafting contracts or solicitor reviews.
- Happier tenants – connections go live quicker; tenants get to move in faster.
By contrast, signing a wayleave and granting Code rights introduces a complex and expensive legal process for any fibre removal or relocation. This can take at least 18 months, plus potential court or tribunal proceedings, making it slower, and far less flexible for the landlord.
.avif)
.avif)
