Device-code phishing with vishing redefines MFA in Microsoft Entra

February 20, 2026 at 09:03 AM

•

1 min read

Device-code phishing with vishing redefines MFA in Microsoft Entra — Photo: BleepingComputer

TL;DR Summary

Threat actors are abusing the OAuth 2.0 device authorization flow combined with voice phishing to hijack Microsoft Entra accounts. By using legitimate Microsoft OAuth client IDs, they trick victims into authenticating on microsoft.com/devicelogin, after which they can grab refresh tokens and issue access tokens, effectively bypassing MFA and accessing the victim's SaaS apps and data. Campaigns have targeted technology, manufacturing, and financial firms and may involve the ShinyHunters group. Security responses include revoking suspicious OAuth consents, auditing device-code sign-in events, disabling device-code flow when not needed, and enforcing conditional access policies to limit exposure.

Topics:technology #devicecodephishing #mfabypass #microsoftentra #oauth #security #sso

Share this article

Hackers target Microsoft Entra accounts in device code vishing attacks BleepingComputer
Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA KnowBe4 blog
New phishing campaign tricks employees into bypassing Microsoft 365 MFA Computerworld
“Messages Held” phishing emails target Microsoft 365 passwords MailGuard
Ongoing Campaign Targets Microsoft 365 to Steal OAuth Tokens for Persistent Access gbhackers.com

Reading Insights

Total Reads

Unique Readers

Time Saved

5 min

vs 6 min read

Condensed

92%

1,126 → 94 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights