Microsoft Entra Accounts Targeted in New Vishing Campaign via Device Code

Post Views: 4

Sophisticated Phishing Campaign Targets Microsoft Entra Accounts

A sophisticated phishing campaign has been identified targeting Microsoft Entra accounts, leveraging a combination of device code phishing and voice-based phishing tactics.

Exploiting OAuth 2.0 Device Authorization Flow

The attack, attributed to the ShinyHunters hacking group, exploits the OAuth 2.0 Device Authorization flow to obtain valid authentication tokens for Microsoft Entra accounts.

According to sources familiar with the matter, threat actors have obtained legitimate Microsoft OAuth client IDs, which are then used to trick victims into granting access to their accounts.

Access to Connected Applications

This allows the attackers to gain access to connected single sign-on applications, including Microsoft 365, Dropbox, Google Workspace, Salesforce, and Atlassian.

Social Engineering Tactics

The campaign is notable for its use of social engineering tactics, including fake voicemail notifications and payment configuration prompts.

These lures are designed to convince victims into divulging sensitive information or granting access to their accounts.

Not an Isolated Incident

This latest campaign is not an isolated incident. In December, researchers at KnowBe4 Threat Labs reported a similar device code intrusion campaign targeting Microsoft 365 users.

In that incident, attackers used phishing emails and websites to trick victims into granting access to their accounts.

Mitigating the Risk of Compromise

To mitigate the risk of compromise, security experts recommend revoking suspicious OAuth app consents, blocking malicious domains, and reviewing Azure AD sign-in logs.

Organizations are also advised to educate their employees on the risks of phishing and the importance of verifying the authenticity of requests for sensitive information.

Security Concerns

The use of OAuth 2.0 Device Authorization flow in this campaign highlights the need for organizations to carefully review their authentication protocols and ensure that they are properly secured.

The fact that legitimate Microsoft OAuth client IDs were obtained by the attackers also raises concerns about the security of these IDs and the need for more robust protections.

The ShinyHunters Hacking Group

The ShinyHunters hacking group has been linked to several high-profile attacks in the past, and this latest campaign demonstrates their continued sophistication and ability to adapt to new security measures.

As the threat landscape continues to evolve, organizations must remain vigilant and proactive in their efforts to prevent and detect phishing attacks.