Hackers target Microsoft Entra accounts in device code vishing attacks

BAIFH IT

Microsoft Entra Accounts Getting Fucked By Device Code Vishing: Film At 11

Great. Just absolutely fucking great. Another day, another brilliant “feature” that’s been weaponised by the absolute fucknuggets of the internet. This time, the target is Microsoft Entra accounts—which, for those of you living under a rock, is what Azure AD rebranded itself as when it had a midlife crisis—and the weapon is something called device code flow. Sounds like something you’d get prescribed for constipation, but it’s actually a legitimate OAuth mechanism that Microsoft built for logging in devices that don’t have keyboards. You know, like smart TVs, IoT toasters, and apparently, the brains of your average end-user.

Here’s how these shitgibbons are ruining your week: they send an email or—my personal favourite—an actual phone call. Yes, vishing, because apparently emails were too fucking impersonal. They spin some cock-and-bull story about suspicious sign-in activity or a pending document that urgently needs your attention. Then they tell your dear, sweet, catastrophically stupid user to toddle over to microsoft.com/devicelogin—which is a REAL Microsoft domain, because why would we want to make this easy to block—and punch in a nice, simple, six-digit code. That’s it. That’s the whole fucking attack.

The moment that code gets entered, it’s like the user has personally gift-wrapped their entire digital life and handed it to a Russian cybercriminal with a thank-you note. The attacker gets access tokens, refresh tokens, and probably a complimentary mint. They bypass MFA, sail past conditional access policies, and shit all over that shiny Zero Trust architecture your CISO sold a kidney to afford. All because some mouthbreather in Sales couldn’t tell a scam from a legitimate call, despite the twelve fucking security awareness trainings we made them sit through.

The cherry on this shit sundae? Microsoft has declared this isn’t a vulnerability. No, no, no. It’s “social engineering.” Well, fuck me sideways with a Surface Pro, that’s a relief. It’s not a bug, it’s just that your entire authentication architecture can be defeated by a phone call and a six-digit number. Brilliant. Absolutely brilliant. That’s like saying a bank vault isn’t insecure, it’s just that someone convinced the manager to leave the door open and put out a welcome mat.

The mitigation? Oh, you’ll love this. You can either disable device code flow entirely—which will work perfectly until someone important can’t log into their smart fridge app and you get dragged into a war room chaired by someone who thinks “OAuth” is a fancy wine—or you can enable conditional access policies to block it based on location, device compliance, or the alignment of fucking Jupiter’s moons. You can also monitor sign-in logs, because you definitely have nothing better to do with your time than sift through millions of log entries looking for suspicious device code flows. And of course, user training. Because if there’s one thing that’s proven to fix everything, it’s telling users not to be stupid. That always works. Just like telling developers not to push to production on a Friday.

So anyway, I had a user call me yesterday, absolutely frantic because they’d “won a Microsoft security award” and needed to verify their account. I told them to go to the site and