Microsoft Entra Accounts Targeted in Vishing Attacks
▼ Summary
– Threat actors are using device code phishing combined with voice phishing (vishing) to compromise Microsoft Entra accounts by abusing the legitimate OAuth 2.0 device authorization flow.
– This attack method tricks victims into authenticating on a legitimate Microsoft login page, providing attackers with valid tokens to access accounts without stealing passwords or MFA codes directly.
– The attacks allow threat actors to access the victim’s single sign-on (SSO) applications and corporate data, with the ShinyHunters extortion gang suspected of being behind the campaigns.
– Security researchers recommend administrators block malicious domains, audit OAuth app consents, review sign-in logs, and consider disabling the device code flow when not required.
– Device code phishing is an established threat, with similar campaigns reported by Microsoft and other security firms warning of attacks targeting Microsoft 365 accounts.
A sophisticated wave of attacks is targeting organizations across the technology, manufacturing, and financial sectors. These campaigns cleverly combine device code phishing with voice phishing, or vishing, to compromise Microsoft Entra accounts by exploiting the OAuth 2.0 Device Authorization flow. Unlike older methods that relied on malicious OAuth applications, these attacks use legitimate Microsoft client IDs within the standard device authorization process to deceive victims into authenticating themselves. This grants attackers valid authentication tokens, providing access to the victim’s account without the need for traditional phishing sites that steal passwords or intercept multi-factor authentication codes.
According to sources, the ShinyHunters extortion group is believed to be behind these new device code vishing attacks, a claim the threat actors themselves have reportedly confirmed. This group has recently been associated with similar vishing campaigns aimed at breaching Okta and Microsoft Entra SSO accounts for data theft. Microsoft has declined to comment on the ongoing incidents.
These attacks represent a shift in social engineering tactics. Threat actors are now using vishing techniques that do not require any infrastructure they control. Instead, they leverage legitimate Microsoft login forms and the standard device code authentication workflow to infiltrate corporate accounts. A device code phishing attack abuses the legitimate OAuth 2.0 device authorization grant flow to steal authentication tokens for a victim’s Microsoft Entra account. With these tokens, attackers can access the user’s resources and connected single sign-on applications, including Microsoft 365, Salesforce, Google Workspace, Dropbox, and many other critical business platforms.
The device authorization grant was originally designed to simplify connecting devices with limited input capabilities, such as smart TVs, IoT devices, or printers. Microsoft explains that this flow allows a user to visit a webpage on a separate device, like a phone or computer, to sign in. Once authenticated, the constrained device can obtain the necessary access and refresh tokens. This is the same process used when logging into a streaming service like Netflix on a new TV, where you enter a code from the TV on a separate device.
In an attack scenario, threat actors first obtain the `clientid` of an existing OAuth application, which could be their own or even one of Microsoft’s legitimate apps. Using open-source tools, they generate a `devicecode` and a `usercode` for that specific app. The attackers then contact a targeted employee, often via a vishing call, and socially engineer them into entering the provided `usercode` on the official Microsoft device authentication page at `microsoft.com/devicelogin`.
When the employee enters the code, they are prompted to log in with their credentials and complete any MFA verification, just as they would normally. After successful authentication, Microsoft displays the name of the OAuth application that was authorized. Because attackers can use legitimate apps, including those from Microsoft, this step appears completely trustworthy to the victim. Once the OAuth app is connected to the account, the attackers use the `device_code` to retrieve the employee’s refresh token, which can be exchanged for access tokens. These tokens allow the attackers to access the employee’s Microsoft services without needing to pass MFA again, as it was already completed during the initial, tricked login.
With this access, the threat actors can authenticate as the user within Microsoft Entra and access any SaaS applications configured with SSO in the victim’s tenant, paving the way for corporate data theft and extortion. Separately, KnowBe4 Threat Labs identified a related campaign using traditional phishing emails and websites to deliver device code attacks. First observed in December 2025, this campaign employs social engineering lures like fake payment configuration prompts, document-sharing alerts, and voicemail notifications to trick users.
KnowBe4 advises Microsoft 365 account holders to block identified malicious domains and sender addresses, audit and revoke any suspicious OAuth app consents, and carefully review Azure AD sign-in logs for device code authentication events. Administrators are strongly recommended to disable the device code flow option if it is not required and to enforce robust conditional access policies.
Device code phishing is not a novel technique; multiple threat actors have used it to breach accounts in the past. In February 2025, the Microsoft Threat Intelligence Center warned that Russian state-sponsored hackers were targeting Microsoft 365 accounts using this method. Later in December, ProofPoint reported similar attacks utilizing a phishing kit that appears identical to the one analyzed by KnowBe4.
(Source: Bleeping Computer)
