Threat actors have combined voice phishing and device code phishing to abuse the OAuth 2.0 device authorization flow and compromise Microsoft Entra accounts in recent campaigns that targeted technology, manufacturing and financial organisations. The attacks yield valid authentication tokens that allow access to connected SSO applications.
KEY FACTS
- Incident Device code phishing paired with vishing
- Technique Use of legitimate Microsoft OAuth client IDs to generate device and user codes
- Targets Technology, manufacturing and financial organisations
- Impact Attackers can obtain refresh tokens and access SSO apps
The device authorization flow is intended for devices with limited input such as TVs and printers. A device displays a short code and asks the user to visit microsoft.com/devicelogin on another device to complete sign in and link the device to the account.
A technical analysis by KnowBe4 found campaigns that combine social engineering lures with generated device_code and user_code values to trick employees into completing the authentication flow on legitimate Microsoft pages.
When a target enters the provided code and completes multi-factor authentication, the authorised OAuth application can be used to retrieve a refresh token. That token can then be exchanged for access tokens, allowing attackers to authenticate as the user and reach SaaS resources configured with SSO.
Recommended actions include blocking malicious domains and sender addresses, auditing and revoking suspicious OAuth app consents, reviewing Azure AD sign-in logs for device code events, disabling the device code flow when it is not needed and enforcing conditional access policies.
WHY IT MATTERS
The attacks bypass traditional password theft by using legitimate authentication flows and tokens, increasing the risk of undetected access to corporate data and SSO applications. Organisations should review OAuth consents and authentication flows to reduce exposure.