ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse
A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely.
Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors subsequently confirmed. ShinyHunters was recently linked to separate vishing attacks targeting Okta and Microsoft Entra SSO accounts for corporate data theft.
Microsoft declined to comment on the attacks.
How Device Code Phishing Works
Unlike conventional phishing that relies on fake login pages or MFA interception, this technique abuses the legitimate OAuth 2.0 Device Authorization Grant flow — a feature designed for input-constrained devices like smart TVs, IoT devices, and printers that authenticate by having users enter a short code on a separate device.
The attack flow:
- Attacker generates a device code using an existing OAuth app's client ID — either their own or a legitimate Microsoft application
- Contacts the target via phone call (vishing), convincing them to visit
microsoft.com/devicelogin - Victim enters the user code on Microsoft's legitimate device authentication page
- Victim authenticates normally — entering credentials and completing MFA as they would for any standard login
- Attacker receives a refresh token tied to the victim's authenticated session, exchangeable for access tokens without requiring further MFA
Because the entire authentication happens on Microsoft's real login infrastructure with legitimate OAuth app names displayed, the process appears entirely trustworthy to the victim.
Why This Bypasses MFA
The critical difference from traditional credential theft: the attacker never needs the victim's password or MFA codes. Once the victim completes authentication against the device code, the attacker receives tokens that grant persistent access. MFA was already satisfied during the initial login and is not required again when the tokens are used.
With those tokens, attackers can authenticate as the victim across any SaaS application configured with SSO in the organization's Entra tenant — including Microsoft 365, Salesforce, Google Workspace, Dropbox, Slack, SAP, Atlassian, and others.
Parallel Email-Based Campaign Discovered
KnowBe4 Threat Labs independently identified a related campaign active since December 2025 that delivers device code attacks through traditional phishing emails rather than phone calls. The lures include fake payment configuration prompts, document-sharing alerts, and bogus voicemail notifications that direct victims to device code authentication pages.
ShinyHunters' Evolving Playbook
This marks another escalation in ShinyHunters' tactics. The group has shifted from traditional data theft operations toward sophisticated identity-based attacks that leverage legitimate authentication flows rather than exploiting vulnerabilities. By abusing OAuth's device authorization grant, they eliminate the need for attacker-controlled infrastructure — no fake domains, no credential harvesting pages, no proxy servers to intercept MFA.
Defender Recommendations
- Disable device code flow in Entra ID when not required — this is the most effective mitigation
- Enforce conditional access policies that restrict device code authentication to managed devices or trusted networks
- Audit Azure AD sign-in logs for device code authentication events — look for
DeviceCodeFlowentries from unexpected locations - Review and revoke suspicious OAuth app consents across the tenant
- Train employees on vishing — emphasize that legitimate IT support will never ask users to enter codes at
microsoft.com/deviceloginover the phone - Monitor for token abuse — flag access patterns where tokens are used from IPs or locations that differ from the original authentication
