Threat actors are targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts.

Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating.

This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes.

A source told BleepingComputer they believed the ShinyHunters extortion gang was behind the new device code vishing attacks, which the threat actors later confirmed. BleepingComputer has not been able to confirm this independently.

ShinyHunters was recently linked to vishing attacks used to  breack Okta and Microsoft Entra SSO accounts for data theft attacks.

BleepingComputer contacted Microsoft about these attacks but was told it had nothing to share at this time.

Device code social engineering attacks

BleepingComputer has learned from multiple sources that threat actors have begun using vishing social engineering attacks that no longer require attacker-controlled infrastructure, instead leveraging legitimate Microsoft login forms and standard device code authentication workflows to breach corporate accounts.

A device code phishing attack is when the legitimate OAuth 2.0 device authorization grant flow is abused to obtain authentication tokens for the victim's Microsoft Entra account.

This can then be used to gain access to the user's resources and connected SSO applications, like Microsoft 365, Salesforce, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.

This grant flow was designed to make it easy to connect devices that lack accessible input options, such as IoT devices, printers, streaming devices, and TVs.

"The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer," explains Microsoft.

"To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed."

This authentication flow is similar to what you see when logging into a streaming service, such as Netflix or Apple TV, where the streaming device displays a short code and instructs you to visit a website on your phone or computer to complete sign-in.

After you enter the code and authenticate, the device is automatically linked to your account without ever handling your password directly.

To conduct a device-code phishing attack, threat actors need the client_id of an existing OAuth app, which can be their own or one of Microsoft's existing apps.

Using open-source tools, the attackers generate a "device_code" and "user_code" that will be shared with the target for the specified OAuth app. 

The threat actors then contact a targeted employee and attempt to convince them to enter the generated user_code on the Microsoft device authentication page, microsoft.com/devicelogin. 

When the targeted person enters the code, they will be prompted to log in with their credentials and complete any MFA verifications, just as they normally would when logging in. After authenticating, Microsoft displays the name of the OAuth application that was authorized.

However, because threat actors can use legitimate apps, even those from Microsoft, this can lend more legitimacy and trust to the authentication process.

Once the OAuth app is connected to an account, threat actors can use the device_code to retrieve the targeted employee's refresh token, which can then be exchanged for access tokens.

Those access tokens allow attackers to access the employee's Microsoft services without having to complete multi-factor authentication again, since MFA was already completed during the initial login.

The threat actors can now authenticate as the user in Microsoft Entra and access SaaS applications configured with SSO (single sign-on) in the victim's tenant, enabling the theft of corporate data for extortion.

KnowBe4 Threat Labs also discovered a recent campaign that uses traditional phishing emails and websites to deliver device code attacks.

The company first spotted the campaign in December 2025 and said it relies heavily on social engineering lures such as fake payment configuration prompts, document-sharing alerts, and bogus voicemail notifications.

KnowBe4 recommends that Microsoft 365 account holders block the malicious domains and sender addresses, audit and revoke suspicious OAuth app consents, and review Azure AD sign-in logs for device code authentication events.

Administrators are also recommended to turn off the device code flow option when not required and to enforce conditional access policies.

Device code phishing is not new, with multiple threat actors having used this method to breach accounts in the past.

In February 2025, the Microsoft Threat Intelligence Center warned that Russian hackers were targeting Microsoft 365 accounts using device code phishing.

In December, ProofPoint reported similar attacks that use a similar phishing kit seen by KnowBe4 to breach Microsoft accounts.