Hackers target Microsoft Entra accounts in device code vishing attacks

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/

ONE SENTENCE SUMMARY:

Threat actors abuse Microsoft OAuth device-code flow with vishing and phishing to obtain tokens, bypass MFA, and access Entra-linked SaaS data.

MAIN POINTS:

1. Campaigns target technology, manufacturing, and financial organizations via device-code phishing plus vishing.
2. Attacks abuse OAuth 2.0 Device Authorization flow rather than deploying malicious OAuth apps.
3. Legitimate Microsoft OAuth client IDs are leveraged to increase victim trust.
4. Victims are coached to enter a user code at microsoft.com/devicelogin.
5. Users complete normal login and MFA, unknowingly authorizing an OAuth application.
6. Attackers exchange device codes for refresh tokens, then mint access tokens.
7. Obtained tokens enable access without re-prompting MFA after initial authorization.
8. Compromise extends to SSO-connected SaaS like Microsoft 365, Salesforce, Slack, and others.
9. ShinyHunters is suspected and reportedly confirmed involvement, though independent confirmation lacking.
10. Defensive guidance includes disabling device code flow, auditing consents, and reviewing sign-in logs.

TAKEAWAYS:

1. Device-code flow turns user-approved MFA into attacker-controlled token issuance.
2. Using Microsoft-branded OAuth apps and pages reduces typical phishing detection cues.
3. Refresh tokens are the critical prize; they enable durable, MFA-free session access.
4. Monitoring for device-code authentication events can reveal intrusions earlier.
5. Least-use features like device-code login should be disabled unless operationally required.