Vishing Meets OAuth: How Attackers Abuse Microsoft Entra’s Device Code Flow

The New Hybrid: When Vishing Meets Legitimate Protocols

In the evolving landscape of social engineering, threat actors are constantly refining their tactics to bypass even the most robust multi-factor authentication (MFA) defenses. Recently, security researchers uncovered a sophisticated campaign targeting technology, manufacturing, and financial sectors. This campaign represents a dangerous hybrid: attackers are combining traditional voice phishing (vishing) with a specialized abuse of the OAuth 2.0 Device Authorization Flow to compromise Microsoft Entra ID (formerly Azure AD) accounts.

Unlike standard phishing campaigns that rely on fake login pages to steal credentials, this attack manipulates a legitimate Microsoft feature designed for internet-of-things (IoT) devices and command-line interfaces. By convincing users to perform a "legitimate" action on a trusted Microsoft domain, attackers bypass traditional phishing filters and user skepticism, walking away with valid session tokens.

Analysis: Weaponizing the Device Authorization Flow

To understand the attack, we must first understand the intended functionality of the OAuth 2.0 Device Authorization Grant Flow (RFC 8628). This flow was designed for devices that have limited input capabilities or lack a browser to facilitate user interaction—such as smart TVs, printers, or CLIs.

The Legitimate Flow:

1. The device initiates an authentication request to the authorization server.
2. The server responds with a device code and a user verification URI (e.g., microsoft.com/devicelogin).
3. The user manually visits the URI on a secondary device (like a phone or laptop) and enters the code.
4. Once authenticated and MFA is completed, the original device receives a token.

The Attack Vector: Threat actors have automated the "device" side of this equation. They use scripts to request device codes from Microsoft Entra ID. Once they receive the code, they initiate a vishing call to the target, posing as IT support.

They instruct the victim to navigate to the legitimate microsoft.com/devicelogin page—bypassing suspicion because the URL is authentic—and enter the attacker-generated code. Once the victim completes their normal MFA prompts (push notification, authenticator code, etc.), the attacker's script receives the authentication token. This grants the attacker full access to the user's session, effectively hijacking the account without ever needing the user's password or handling a malicious file.

Threat Hunting & Detection

Detecting this attack requires monitoring for anomalies in the Device Code flow usage, as the authentication events look valid to standard auditors. Below are methods to identify potential abuse in your environment.

1. KQL for Microsoft Sentinel/Defender

Use the following KQL query to hunt for spikes in Device Code authentication or successful logins via this method from unexpected locations or contexts.

SigninLogs
| where AuthenticationMethod == "DeviceCode"
| extend UserPrincipalName = tolower(UserPrincipalName)
| project TimeGenerated, UserPrincipalName, AppDisplayName, DeviceDetail, Location, ConditionalAccessStatus, AuthenticationRequirement
| summarize Count = count() by UserPrincipalName, AppDisplayName, bin(TimeGenerated, 1h)
| where Count > 5 // Threshold for suspicious activity
| order by Count desc

2. PowerShell Hunting Script

This script checks for recent sign-ins utilizing the Device Code flow within your environment and flags them for review.

# Requires Microsoft Graph PowerShell SDK module
Connect-MgGraph -Scopes "AuditLog.Read.All"

$TimeSpan = New-TimeSpan -Days 7
$Filter = "createdDateTime gt $((Get-Date).AddDays(-7).ToString('yyyy-MM-ddTHH:mm:ssZ'))"

$SignIns = Get-MgAuditLogSignIn -Filter $Filter -All | Where-Object { $_.AuthenticationDetails -eq "DeviceCode" }

if ($SignIns) {

    Write-Host "[!] Potential Device Code Attacks Detected:" -ForegroundColor Red

    $SignIns | Select-Object CreatedDateTime, UserPrincipalName, AppId, AuthenticationDetails, @{N="IPAddress";E={$_.IPAddress}}, @{N="Location";E={$_.Location.City + ", " + $_.Location.Country}} | Format-Table -AutoSize
} else {

    Write-Host "[-] No Device Code sign-ins detected in the last 7 days." -ForegroundColor Green

}

3. Python Fingerprinting

This Python script can be used to parse exported logs (JSON format) to identify the DeviceCode fingerprint in authentication protocols.

import 


def detect_device_code_attack(log_file_path):

    try:
        with open(log_file_path, 'r') as file:
            logs = .load(file)
        
        print(f"[*] Analyzing {len(logs)} log entries...")
        
        for entry in logs:
            # Adjust key based on your log export format (Azure AD/Entra logs)
            auth_method = entry.get('authenticationMethod', entry.get('authenticationDetails', '')).lower()
            
            if 'devicecode' in auth_method:
                user = entry.get('userPrincipalName', 'Unknown User')
                ip = entry.get('ipAddress', 'Unknown IP')
                print(f"[!] ALERT: Device Code usage detected by User: {user} from IP: {ip}")
                
    except Exception as e:
        print(f"[-] Error processing file: {e}")

# Usage: detect_device_code_attack('signin_logs.')

Mitigation Strategies

While the authentication event is technically legitimate, organizations can enforce policies to render this attack vector ineffective:

1. Conditional Access Policies: The most effective mitigation is to configure Conditional Access policies to block or restrict the "Device Code" authentication method. Create a policy targeting "All users" and "All apps", then configure controls to Block access when the authentication method is "Device Code flow". Note: Verify if your environment has a legitimate business need for this flow before blocking entirely.
2. Phishing-Resistant MFA: Deploying FIDO2 security keys or Windows Hello for Business adds a layer of physical possession that makes remote interception significantly harder, though this specific attack bypasses MFA if the user approves it.
3. User Awareness Campaigns: Educate employees that IT support will never ask them to enter a code on microsoft.com/devicelogin unsolicited. This URL is a specific red flag for this attack vector.

Security Arsenal Plug

As attackers blend social engineering with protocol abuse, static defenses are no longer sufficient. At Security Arsenal, we specialize in simulating these advanced attack vectors to test your organization's resilience. Our Red Teaming operations can replicate vishing and device code attacks to identify gaps in your human and technical defenses.

Additionally, our Managed Security services can monitor your Entra ID logs for the subtle anomalies associated with these OAuth abuses, ensuring you stay ahead of the curve. For a comprehensive review of your identity security posture, consider scheduling a Vulnerability Audit today.