Just when you think your business is finally covered on the cybersecurity front, something new comes along and changes everything.
Right now, that’s exactly what’s happening.
There’s a new scam making the rounds, and unfortunately, it’s already affecting small businesses across the country, including here in Southwest Oklahoma. Even worse, the hackers behind it don’t even need your password to break in.
That’s right. They’re getting into Microsoft accounts without stealing passwords. And sadly, the scam works surprisingly well.
A new kind of phishing scam
This latest trick is called device code phishing, and Microsoft has warned that these attacks are growing fast. Unlike older phishing scams, this one is a bit more clever.
Usually, phishing attacks try to fool someone into typing their password into a fake login page. However, this method uses real Microsoft login screens, which makes it a lot harder to catch.
Here’s how it works: You or someone on your team gets an email that seems completely normal. For example, it might look like a Microsoft Teams invite or a quick message from HR or a coworker. As expected, you click the link, and it takes you to an official Microsoft login screen.
So far, everything seems fine.
Then, the email gives you a short “device code” to enter. You’re told it’s needed to join the meeting or finish logging in. Because it looks official, many people don’t think twice.
But here’s where the problem begins: That code doesn’t log you in, it logs the hacker into your Microsoft account from their device.
How hackers get into Microsoft accounts without a password
Because you’re using Microsoft’s actual login system, the hacker can slip past your security. Even if your account has multi-factor authentication (MFA) turned on, they might still get in. That’s what makes this so dangerous.
Once they’re in, they can read your emails, snoop through your files, or pretend to be you and trick others at your business. You won’t even know it happened until the damage is done.
Even worse, if they steal your session token, the thing that keeps you logged in, they can stay in your account even after you change your password.
What you can do to stay safe
First, remind your team: real Microsoft logins don’t ask you to enter a code someone else sent you. That’s the red flag.
Second, if anyone receives a message asking them to log in using a code, slow down and double check. Ask yourself: Did I request this? Do I know the person who sent it? If there’s any doubt, make a quick phone call or message the person directly, don’t just click and log in.
What your IT provider should do
From a technical side, your IT support team (or provider like us) can help lock this down. If your business doesn’t use device code logins for anything, it’s best to turn off that feature completely.
We can also add extra security rules to only allow logins from trusted devices and locations. That makes it a lot harder for scammers to sneak in, even if someone accidentally clicks the wrong thing.
Why local IT security matters more than ever
If you’re a small business in Lawton, Duncan, or anywhere in Southwest Oklahoma, this kind of threat is a big deal. You don’t need a huge IT department to stay protected, you just need the right support.
At Wolferdawg IT Consulting, we make security simple. We help businesses like yours stay one step ahead of new scams like the Microsoft phishing scam 2025.
Need help locking down your Microsoft accounts before someone else gets in? Let’s talk.
Helping you trust your network. Book a call, let’s discuss how we can help you.
Serving Southwest Oklahoma and surrounding areas.
