Hackers target Microsoft Entra accounts in device code vishing attacks

Overview

Threat actors are actively targeting organizations using device code phishing combined with vishing (voice phishing) to exploit the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. These attacks differ from traditional phishing because attackers leverage legitimate Microsoft OAuth client IDs and direct victims to official Microsoft login pages, enabling unauthorized access without needing passwords or intercepting MFA codes.

Attackers generate a device_code and user_code for a legitimate OAuth application, then socially engineer the victim—via calls or phishing emails—to enter the code at microsoft.com/devicelogin. After the user completes authentication and MFA, attackers obtain refresh tokens, granting long-term access to Microsoft 365 and SSO?connected applications.

Recent reports indicate groups like ShinyHunters may be involved, though this is not independently confirmed. Similar device-code phishing activity has previously been linked to Storm?2372, a Russia?aligned threat actor.

Who It Impacts

These campaigns primarily target:

Technology organizations
Manufacturing companies
Financial sector entities

The attack method is effective across all employee levels, but adversaries frequently target employees with high-value access, including those with privileged roles or access to sensitive business systems. Attackers use trusted Microsoft infrastructure, making the attack convincing even to trained users.

How It Impacts

Once attackers obtain the authorized refresh tokens, they can:

Gain full access to Microsoft Entra ID user accounts
Access Microsoft 365 services such as Outlook, Teams, OneDrive, and SharePoint
Access connected SSO applications including Salesforce, Google Workspace, Dropbox, Adobe, SAP, Slack, Atlassian, Zendesk, and more
Maintain persistent access without needing passwords or repeating MFA challenges because authentication was already validated by the victim
Steal sensitive corporate data for extortion, BEC (Business Email Compromise), or lateral movement inside the organization

Because the victim willingly enters the provided code on a real Microsoft page, attackers bypass traditional detection mechanisms and exploit the trust model of OAuth?based authentication.

Targeted Products

The following platforms and identity workflows are directly affected:

Microsoft Entra ID (Azure AD)
Microsoft 365 Services (Exchange Online, Teams, SharePoint, OneDrive)
OAuth 2.0 Device Authorization Flow
SSO?Integrated SaaS Applications, including:
- Salesforce
- Google Workspace
- Dropbox
- Adobe
- SAP
- Slack
- Zendesk
- Atlassian

Recommendations

Immediate Actions

Educate all employees: Instruct users never to enter device codes provided through calls or unsolicited emails. Treat such requests as malicious.
Implement Conditional Access Policies: Restrict device code authentication to managed and compliant devices only.
Disable Device Code Flow (if not required): Administrators can turn off or limit device code authentication to prevent misuse.
Audit OAuth Consents: Review, revoke, and block suspicious OAuth apps and refresh tokens.
Monitor Entra ID Logs: Look for unusual device code sign?ins, abnormal OAuth token grants, or MFA approvals without corresponding user activity.

Enhanced Security Measures

Enforce admin consent for new OAuth applications
Reduce token lifetimes where applicable
Deploy identity protection and anomaly detection tools
Conduct vishing?focused security awareness training for staff
Review helpdesk procedures for identity verification and callback validation

References