Share
Hackers have launched a massive campaign targeting Microsoft 365 and Entra ID (formerly Azure AD) users in a phishing and ‘vishing,’ or voice-based social engineering, attack.
This ongoing operation bypasses standard security measures by exploiting the Microsoft Device Code flow, a feature typically used to authenticate devices, including smart TVs and printers.
The attack begins with a deceptive phone call or a high-priority email notification. Fraudsters often pose as Microsoft technical support or IT security staff, alerting the victim to a “security breach” or a “blocked login attempt” that requires immediate verification.
During the conversation, the attacker instructs the user to visit the legitimate Microsoft device login page and enter a specific eight-digit code provided by the hacker.
Exploiting human trust
This method is particularly dangerous because it does not rely on a fake website. Instead, it directs users to Microsoft’s official infrastructure, which creates a false sense of security.
Once the victim enters the code, they are essentially granting the attacker’s device authorization to access their account. This allows the hacker to bypass multi-factor authentication (MFA) entirely, as the user has “verified” the session through their own trusted device and credentials.
Targeted are corporate employees and high-level executives within organizations that rely on Microsoft Entra ID for identity management. Because the hackers gain a “primary refresh token,” they can maintain long-term access to the victim’s emails, SharePoint documents and internal chat logs without needing to log in again.
This level of access is often a precursor to business email compromise (BEC) fraud or the deployment of ransomware within a corporate network.
To defend against this campaign, cybersecurity experts emphasize that users should never enter a device code provided to them by an unsolicited caller. Microsoft never uses the device code flow for security verification or identity confirmation over the phone.
Organizations are being urged to implement Conditional Access policies that restrict device code flow to specific, managed devices only. Training staff to recognize that even official-looking login pages can be used for malicious purposes remains the most effective line of defence against this evolving threat.
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.