It is being reported hackers are targeting technology, manufacturing, and financial organizations in campaigns that leverage device code phishing with voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.
Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating.
This provides attackers with valid authentication tokens that can be used to access the victim’s account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.
Ensar Seker, CISO at SOCRadar, commented:
“This campaign is significant because it doesn’t break authentication, it abuses it. The OAuth 2.0 Device Authorization flow was designed for usability across limited-input devices, but attackers are now socially engineering users into completing legitimate device login prompts under the guise of IT support or security validation. By leveraging real Microsoft OAuth client IDs instead of malicious apps, adversaries avoid many traditional detection controls. The result is a valid authentication token issued by Microsoft itself, which means no password theft, no MFA bypass exploit, just human manipulation.
“What makes this especially dangerous for enterprises is that many security programs still focus heavily on credential phishing indicators, fake domains, cloned login pages and MFA fatigue. Device code phishing shifts the battlefield into token abuse and session hijacking. Once the attacker has a valid access token tied to Entra ID, they can move laterally into M365, SharePoint, Teams, and potentially pivot toward financial fraud or data exfiltration without triggering obvious alerts.
‘If ShinyHunters is indeed involved, it signals continued evolution from traditional data-theft extortion toward identity-centric compromise models. Identity is the new perimeter, and OAuth abuse is becoming a preferred entry point because it blends into normal authentication telemetry.
“From a defensive standpoint, organizations need to restrict or monitor the Device Authorization flow where not required, enforce Conditional Access policies that bind tokens to compliant devices, reduce token lifetimes, enable sign-in risk policies, and implement stronger session monitoring. Security teams should also train employees that legitimate IT will never ask them to manually enter device codes shared over the phone.
“This is not a vulnerability in Microsoft Entra, it’s a design feature being exploited through social engineering. The real lesson is that modern attacks increasingly weaponize legitimate cloud workflows rather than exploit technical flaws.”
This is a very good time to start looking at your Microsoft Entra setup to make sure that you are not vulnerable. Because now that this is being used by one group of threat actors, it will be used by others soon enough.
Like this:
Like Loading...
Related
This entry was posted on February 19, 2026 at 1:41 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers Target Microsoft Entra Accounts in Device Code Vishing
It is being reported hackers are targeting technology, manufacturing, and financial organizations in campaigns that leverage device code phishing with voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.
Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating.
This provides attackers with valid authentication tokens that can be used to access the victim’s account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.
Ensar Seker, CISO at SOCRadar, commented:
“This campaign is significant because it doesn’t break authentication, it abuses it. The OAuth 2.0 Device Authorization flow was designed for usability across limited-input devices, but attackers are now socially engineering users into completing legitimate device login prompts under the guise of IT support or security validation. By leveraging real Microsoft OAuth client IDs instead of malicious apps, adversaries avoid many traditional detection controls. The result is a valid authentication token issued by Microsoft itself, which means no password theft, no MFA bypass exploit, just human manipulation.
“What makes this especially dangerous for enterprises is that many security programs still focus heavily on credential phishing indicators, fake domains, cloned login pages and MFA fatigue. Device code phishing shifts the battlefield into token abuse and session hijacking. Once the attacker has a valid access token tied to Entra ID, they can move laterally into M365, SharePoint, Teams, and potentially pivot toward financial fraud or data exfiltration without triggering obvious alerts.
‘If ShinyHunters is indeed involved, it signals continued evolution from traditional data-theft extortion toward identity-centric compromise models. Identity is the new perimeter, and OAuth abuse is becoming a preferred entry point because it blends into normal authentication telemetry.
“From a defensive standpoint, organizations need to restrict or monitor the Device Authorization flow where not required, enforce Conditional Access policies that bind tokens to compliant devices, reduce token lifetimes, enable sign-in risk policies, and implement stronger session monitoring. Security teams should also train employees that legitimate IT will never ask them to manually enter device codes shared over the phone.
“This is not a vulnerability in Microsoft Entra, it’s a design feature being exploited through social engineering. The real lesson is that modern attacks increasingly weaponize legitimate cloud workflows rather than exploit technical flaws.”
This is a very good time to start looking at your Microsoft Entra setup to make sure that you are not vulnerable. Because now that this is being used by one group of threat actors, it will be used by others soon enough.
Share this:
Like this:
Related
This entry was posted on February 19, 2026 at 1:41 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.