Microsoft Entra Accounts Targeted in Sophisticated Device Code Vishing Attacks
Cybercriminals Exploit OAuth 2.0 Device Authorization Flow to Compromise Microsoft Entra Accounts
Cybercriminals are exploiting a vulnerability in the OAuth 2.0 Device Authorization flow to compromise Microsoft Entra accounts, primarily targeting technology, manufacturing, and financial organizations. This new campaign combines device code phishing and voice phishing (vishing) to trick victims into authenticating, providing attackers with valid authentication tokens that can be used to access the victim’s account without relying on traditional phishing methods.
Legitimate OAuth Client IDs and Device Authorization Flow Used in Attacks
Unlike previous attacks that utilized malicious OAuth applications, these campaigns leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This technique allows attackers to obtain authentication tokens for the victim’s Microsoft Entra account, which can then be used to gain access to the user’s resources and connected SSO applications, such as Microsoft 365, Salesforce, Google Workspace, and Dropbox.
Device Authorization Grant Flow Vulnerability
The device authorization grant flow was designed to make it easy to connect devices that lack accessible input options, such as IoT devices, printers, and TVs. However, threat actors have begun using vishing social engineering attacks that no longer require attacker-controlled infrastructure, instead leveraging legitimate Microsoft login forms and standard device code authentication workflows to breach corporate accounts.
Conducting a Device-Code Phishing Attack
To conduct a device-code phishing attack, threat actors need the client_id of an existing OAuth app, which can be their own or one of Microsoft’s existing apps. Using open-source tools, the attackers generate a “device_code” and “user_code” that will be shared with the target for the specified OAuth app. The threat actors then contact a targeted employee and attempt to convince them to enter the generated user_code on the Microsoft device authentication page.
Once the targeted person enters the code, they will be prompted to log in with their credentials and complete any MFA verifications, just as they normally would when logging in. After authenticating, Microsoft displays the name of the OAuth application that was authorized. However, because threat actors can use legitimate apps, even those from Microsoft, this can lend more legitimacy and trust to the authentication process.
Accessing Microsoft Services and SaaS Applications
Once the OAuth app is connected to an account, threat actors can use the device_code to retrieve the targeted employee’s refresh token, which can then be exchanged for access tokens. Those access tokens allow attackers to access the employee’s Microsoft services without having to complete multi-factor authentication again, since MFA was already completed during the initial login.
The threat actors can now authenticate as the user in Microsoft Entra and access SaaS applications configured with SSO in the victim’s tenant, enabling the theft of corporate data for extortion.
Mitigating Device Code Phishing Attacks
To mitigate these attacks, Microsoft 365 account holders are advised to block malicious domains and sender addresses, audit and revoke suspicious OAuth app consents, and review Azure AD sign-in logs for device code authentication.
- Block malicious domains and sender addresses
- Audit and revoke suspicious OAuth app consents
- Review Azure AD sign-in logs for device code authentication
Device code phishing is not new, with multiple threat actors having used this method to breach accounts in the past. In February 2025, the Microsoft Threat Intelligence Center warned that Russian hackers were targeting Microsoft 365 accounts using device code phishing.
About Author
English