Hackers target Microsoft Entra accounts in device code vishing attacks

• Hackers target Microsoft Entra accounts via device code vishing, exploiting OAuth 2.0 flow. • Attack uses legitimate OAuth client IDs, bypassing phishing sites and standard login forms. • Victims are tricked into authenticating, granting attackers valid tokens for account access. • ShinyHunters extortion gang likely behind attacks, previously linked to Okta and Entra breaches. • Attack bypasses MFA, requires no attacker infrastructure, relies on social engineering. • Compromised tokens grant access to Microsoft 365, Salesforce, Google Workspace, and more.

Article Summaries:

• Threat actors are now targeting technology, manufacturing and financial firms with a new campaign that blends device‑code phishing and voice‑phishing (vishing). Instead of deploying malicious OAuth apps, the attackers use legitimate Microsoft OAuth client IDs and the OAuth 2.0 Device Authorization flow to trick employees into entering a short code on microsoft.com/devicelogin. Once the victim authenticates and completes MFA, the attackers receive valid access tokens that grant them entry to the victim’s Microsoft Entra account and connected SSO services such as Microsoft 365, Salesforce, and Google Workspace. A source linked the attacks to the ShinyHunters extortion gang, though Microsoft has not yet confirmed the claim.

Sources:

• https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/