Manufacturing, technology, and financial entities are having their Microsoft Entra accounts subjected to combined device code phishing and voice-based phishing intrusions exploiting the OAuth 2.0 Device Authorization flow, according to BleepingComputer.Threat actors believed to be the ShinyHunters hacking operation have harnessed legitimate Microsoft OAuth client IDs and the device authorization flow to obtain valid authentication tokens for Microsoft Entra accounts, which could then be leveraged to subsequently infiltrate connected single sign-on apps, including Microsoft 365, Dropbox, Google Workspace, Salesforce, and Atlassian, sources close to the matter said.Such a development comes after Microsoft 365 users were reported by KnowBe4 Threat Labs researchers to have been targeted with device code intrusion involving phishing emails and websites as part of a December attack campaign. Attackers had used multiple social engineering lures, including fake voicemail notifications and payment configuration prompts, said researchers, who urged suspicious OAuth app consent revocation, malicious domain blocking, and Azure AD sign-in log reviews to avert potential compromise.
