Device-code phishing with vishing redefines MFA in Microsoft Entra
Threat actors are abusing the OAuth 2.0 device authorization flow combined with voice phishing to hijack Microsoft Entra accounts. By using legitimate Microsoft OAuth client IDs, they trick victims into authenticating on microsoft.com/devicelogin, after which they can grab refresh tokens and issue access tokens, effectively bypassing MFA and accessing the victim's SaaS apps and data. Campaigns have targeted technology, manufacturing, and financial firms and may involve the ShinyHunters group. Security responses include revoking suspicious OAuth consents, auditing device-code sign-in events, disabling device-code flow when not needed, and enforcing conditional access policies to limit exposure.