The ShinyHunters extortion gang is running a new campaign that combines voice phishing (vishing) with Microsoft’s OAuth 2.0 device authorization flow to compromise Entra accounts — bypassing MFA entirely. BleepingComputer has the full report.

How It Works

The attack abuses the legitimate device code authentication flow built into Microsoft Entra:

  1. Attackers generate a device code through Microsoft’s authentication system using a legitimate OAuth client ID.
  2. They call the target, posing as IT support or Microsoft, and convince them to visit microsoft.com/devicelogin.
  3. The victim enters the code and completes normal login — including MFA.
  4. The attacker receives valid authentication tokens without ever needing the victim’s password or MFA codes directly.

Because this uses Microsoft’s real login page and standard device authorization workflow, there are no phishing pages to detect. The victim sees a normal Microsoft login experience.

Why It Matters

Once attackers have the tokens, they can access anything tied to the compromised Entra account — Microsoft 365, SharePoint, connected SSO applications like Salesforce, Slack, and Dropbox. ShinyHunters has already hit at least 15 companies since January 2026, with over 50 million records confirmed leaked across organizations including universities, financial services firms, and consumer platforms.

This technique is particularly dangerous because it defeats MFA. The victim completes the MFA challenge themselves, handing the attacker a fully authenticated session.

What to Do

  • Restrict device code flow. Block or limit the OAuth 2.0 device authorization grant in Entra ID conditional access policies. Most organizations don’t need it.
  • Train staff on vishing. Employees should know that Microsoft and internal IT will never call asking them to enter codes on login pages.
  • Monitor sign-in logs. Watch for device code authentication events, especially from unexpected locations or devices.
  • Review conditional access policies. Require compliant or managed devices for authentication. Block sign-ins from unrecognized platforms.
  • Audit connected SSO apps. Know what applications are linked to your Entra accounts and what data they expose if a session is compromised.