Threat actors are targeting technology, manufacturing, and financial organizations using device code phishing and voice phishing (vishing) attacks to compromise Microsoft Entra accounts. Unlike previous attacks that used malicious OAuth applications, these campaigns leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating.
This allows attackers to access victim’s accounts without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. ShinyHunters, a known extortion gang, is believed to be behind these attacks, which are similar to previous campaigns used to breach Okta and Microsoft Entra SSO accounts.
Device code social engineering attacks have been detected using legitimate Microsoft login forms and standard device code authentication workflows to breach corporate accounts. These attacks can gain access to user resources and connected SSO applications like Microsoft 365, Salesforce, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.
Microsoft has warned about these attacks in the past, but new campaigns have been detected using traditional phishing emails and websites to deliver device code attacks. KnowBe4 recommends blocking malicious domains and sender addresses, auditing and revoking suspicious OAuth app consents, and reviewing Azure AD sign-in logs for device code authentication events.
To prevent these attacks, administrators can turn off the device code flow option when not required and enforce conditional access policies. The future of IT infrastructure requires automation and intelligence to reduce hidden manual delays and improve reliability.
Source: https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks