Vishing and device-code phishing abuse Microsoft’s legitimate login system to hijack enterprise accounts.
Key Takeaways:
Threat actors are actively abusing Microsoft’s OAuth 2.0 Device Authorization flow to compromise Microsoft Entra (formerly Azure AD) accounts without triggering traditional phishing red flags. The attackers leverage social engineering techniques to trick victims into entering attacker-generated device codes on legitimate Microsoft login pages to obtain valid access and refresh tokens.
According to a new report from Bleeping Computer, this new campaign combines phishing (vishing) and device-code phishing. Phishing vishing is a voice‑based social‑engineering scam where attackers call victims while impersonating trusted personnel to trick them into taking actions that compromise their accounts. Moreover, device‑code phishing exploits Microsoft’s legitimate OAuth 2.0 device login process by persuading users to enter attacker‑generated codes on Microsoft’s real authentication page, which silently hands over access tokens that let criminals access the victim’s account.
The attackers begin by initiating a legitimate OAuth 2.0 Device Authorization request, which generates a unique device code tied to a session. They then contact victims (often by phone while posing as IT support) and persuade them to enter this code on Microsoft’s official device login page. The page and workflow are completely authentic, so victims believe they are completing a routine security or verification step. Once the user enters the code, Microsoft issues access and refresh tokens associated with the victim’s account, which the attacker can intercept and use to log in without ever needing the password or MFA.
With these tokens in hand, the attacker gains long‑lasting access to the user’s Microsoft Entra account and any connected services, such as Microsoft 365 and other Single Sign-On (SSO)‑integrated applications. This method is especially dangerous because it doesn’t require fake websites or malicious infrastructure, and the entire process is completed through Microsoft’s own trusted authentication system.
According to Bleeping Computer, the ShinyHunters extortion gang is suspected to be behind the attacks. This group has been previously linked to vishing attacks on Okta and Microsoft Entra accounts. This method doesn’t require attacker‑controlled servers, as it leverages Microsoft’s legitimate infrastructure. This significantly reduces red flags that organizations typically use to detect phishing attempts.
The hackers targeted industries include technology, manufacturing, and finance. Once inside, attackers can access emails, cloud services, and SSO-integrated applications, including Salesforce, Adobe, Google Workspace, Slack, and more.
Administrators can prevent these attacks by restricting or completely blocking the OAuth device‑code flow unless it is absolutely required within the organization. Security experts recommend enforcing Conditional Access policies that limit device‑code authentication to trusted, managed devices only, which prevents attackers from using arbitrary codes on unmonitored endpoints. Organizations should also train employees to recognize that Microsoft never asks for device codes through unsolicited calls or emails. This approach reduces the likelihood that staff will comply with fraudulent instructions.
Additionally, companies should strengthen user awareness by emphasizing that even legitimate Microsoft pages can be misused in social engineering attacks. Moreover, employees must be educated to avoid entering a device code provided by an unexpected caller, and IT teams should monitor for unusual device‑code authentication attempts to detect compromises early. Organizations can combine policy‑based restrictions, user training, and vigilant monitoring to significantly reduce the risk posed by device‑code phishing and vishing campaigns.