When it comes to CyberSecurity, it often feels like just as you plug one hole, another one opens up.
That’s the reality for many small and medium-sized businesses today. You work hard to protect your systems—installing antivirus software, setting up multi-factor authentication (MFA), and educating your team about suspicious emails—only to find out there’s a new way for criminals to break in.
The latest threat? A growing tactic called Device Code Phishing.
It’s not your typical phishing scam. And it’s worrying for one key reason: attackers don’t need your password to get into your account.
You’ve probably heard of phishing scams before—fraudulent emails or messages that trick people into entering their login details into fake websites. Once you type in your username and password, cybercriminals steal that information and use it to break into your accounts.
But device code phishing works differently. Instead of stealing your credentials directly, attackers use a more subtle and manipulative technique. They trick you into voluntarily giving them access to your account—without you even realizing it.
It’s clever, and unfortunately, it’s becoming more common.
The scam usually begins with a fake email. It might look like it’s from your HR department, a colleague, or even a service like Microsoft Teams. The message often invites you to join a meeting, review a document, or approve something urgently.
When you click the link, it takes you to a real Microsoft login page—not a fake one. This is part of what makes device code phishing so effective. Everything looks normal.
Then you’re asked to enter a short “device code.” The code is included in the email and you’re told it’s needed to complete your login or access the resource.
But here’s the trick: the code isn’t for you—it’s for them.
By typing it in, you’re authorizing the attacker’s device to log into your account. You’re not logging into your own system—you’re giving the attacker access to your Microsoft account from their machine.
It’s a simple step with serious consequences.
This type of phishing scam is effective because it avoids many of the red flags we’re trained to look for:
There’s no fake website.
You’re not typing your password into a suspicious form.
The login page is real.
The request feels routine.
But the end result is the same: someone else gains access to your account—your emails, your files, your contacts. From there, they can move around your network, look for sensitive data, and even trick others inside your company into giving up more information.
Worse still, many of these attacks can bypass MFA. Since you’re authorizing the attacker through a real Microsoft flow, it’s treated as a trusted login. That means your extra layers of security might not catch it.
Once inside, attackers can:
Read and send emails from your account
Download or delete files
Set up forwarding rules to monitor future messages
Trick co-workers or clients into sharing private information
Impersonate you to launch further scams
They may also capture what’s called a session token—a digital “pass” that keeps them logged in, even if you change your password.
This means removing them isn’t as easy as resetting credentials. Without the right tools, they can stay in your system long after you think you’ve locked them out.
Most cybersecurity tools are designed to detect suspicious logins or block fake websites. But device code phishing uses legitimate Microsoft systems. This makes detection harder because:
The login happens on a real Microsoft domain.
The device code process is meant for real use cases (like secure logins on smart TVs or conference room screens).
The login is “approved” by a human—you, the victim.
That combination makes this method especially dangerous for small and mid-sized businesses that rely on Microsoft services like Outlook, Teams, and OneDrive.
The best defence against device code phishing is awareness and prevention. Here are steps your business can take to reduce risk:
Make sure employees understand what device code phishing is and how it works. Specifically:
Never enter a device code unless you’re 100% sure where it came from.
If an email looks like it came from HR or IT, confirm using another method (like a phone call or a known company messaging app).
Understand that real Microsoft login pages shouldn’t ask you to enter a code from an email sent by someone else.
Ask your IT team or managed services provider if your business needs this feature. If not, disable it.
Microsoft allows administrators to turn off device code authentication in Azure AD (Active Directory). This reduces the attack surface and prevents this specific type of scam from working.
You can set security policies to block logins from unknown locations or unapproved devices. This way, even if someone manages to trick an employee, their access attempt can be blocked.
Conditional Access rules can also require stronger authentication for certain actions—like downloading files or changing settings.
Traditional antivirus tools aren’t enough anymore. EDR systems can detect suspicious behaviour after login, like:
Accessing large numbers of files quickly
Logging in from new locations
Forwarding emails automatically
These tools alert your IT provider so they can act before damage is done.
Keep an eye on logins from unfamiliar IP addresses, devices, or countries. Set up alerts for:
Multiple failed login attempts
Password resets
Sign-ins at odd hours
Even if an attacker gets in, quick detection can limit the damage.
Beyond tools and settings, the most important protection is having a team that’s aware of the risks.
CyberSecurity is not a one-time job. It’s an ongoing effort. Everyone in your business—from the front desk to the finance team—needs to understand that cyber threats are real, evolving, and often disguised as everyday tasks.
Make training part of your regular routine. Offer refresher courses. Use examples from real phishing scams. And encourage employees to speak up if something feels off—even if they’re not sure.
A well-trained team is your strongest line of defence.
You might think cybercriminals only go after big companies. But that’s not the case.
Small and medium businesses are often targeted because:
They use many of the same tools (like Microsoft 365) as large businesses
They may not have dedicated security staff
They rely heavily on email and cloud services
They often assume they’re “too small to be noticed”
This false sense of security can leave gaps in protection—gaps that attackers are more than happy to exploit.
And with new threats like device code phishing emerging, it’s more important than ever to be proactive.
Device code phishing is a reminder that not all scams involve sketchy websites or obvious mistakes. Some of them look completely normal—until it’s too late.
But by staying informed, training your team, and working with a reliable IT partner, you can stay a step ahead.
Cyber criminals are always innovating. So should your CyberSecurity strategy.
At Robertson Technology Group, we specialize in managed technology security and support solutions designed for small to medium businesses across Canada. Based in Victoria, BC, we work directly with your business to create a technology plan that suits your unique needs—without forcing you to adapt to a one-size-fits-all system.
Our approach is highly personalized. We get to know your operations so we can deliver fast, relevant, and secure support every step of the way. With our adaptive technology stack and a strong focus on innovation—including AI-powered risk analysis—you get forward-thinking protection tailored to your business.
Whether you’re trying to prevent the latest phishing scam or need help managing devices across multiple locations, we’re here to take the burden off your team so you can focus on growing your business.