The problem: device-code vishing is back — but your response can’t be “panic disable everything”
Over the last few weeks, multiple reports have highlighted a rise in OAuth device code phishing/vishing targeting Microsoft Entra ID accounts, where users complete a “legit” login on Microsoft pages and attackers walk away with tokens (often making MFA feel irrelevant in the moment). (bleepingcomputer.com)
The operational pain: the right response usually spans identity + ITSM + comms + approvals, and it’s easy for teams to either:
- Overreact (tenant-wide lockouts, broken frontline workflows)
- Underreact (no deterministic containment, no proof of what was done)
This is a great fit for Autom Mate as an orchestration layer: deterministic execution, approvals, auditability, and exception handling acr is designed for governed, auditable automation with strong error handling and monitoring.
Proposed pattern (Category 13): “Containment hyperflow” for device-code vishing
This topic is about implementation patterns for a governed response, not just identity theory.
End-to-end workflow (trigger → validation → approvals → deterministic execution → logging → exception handling/rollback)
1) Trigger
- Trigger A (event-based): Security tool / SIEM / ITDR posts a webhook when it detects suspicious **device code - Uses: REST/HTTP/Webhook trigger (documented event-based triggers).
- Trigger B (human-reported): Service desk agent flags “possible vishing” in ITSM →.
- Uses: ITSM webhook + Autom Mate trigger.
2) Validation (make it hard for AI to overreach)
- Enrich the alert with:
- user identity, sign-in context, IP/geo, device, app/client_id (from your log source)
- ticket context (who reported, what was said, call-back verification status)
- Apply deterministic rules:
- “High confidence” if device-code sign-in + new geo + impossible travel + user confirms they were called
- “Medium confidence” if only one signal
3) Approvals (human-in-the-loop)
- Create an approval step for SecOps on-call (and optionally Identity team) before any disruptive action.
- Approval payload includes:
- evidence summary
- proposed actions (scoped)
- blast-radius estimate
(Autom Mate is built around governed execution with audit logs and acce exactly what you want here.)
4) Deterministic execution (two-phase containment)
Phase 1: “Stop the bleeding” (fast, reversible)
- Disable the user session / revoke tokens (where your identity platform supports it)
- Block device code flow for the user/group temporarily (if your policy model supports scoped controls)
- Force password reset only if your investigation indicates credential exposure (don’t assume)
Phase 2: “Clean up persistence” (slower, higher confidence)
- Enumerate newly-consented apps / risky OAuth grants and revoke as needed
- Check for newly-registered MFA methods / devices and remove suspicious ones
- Open/Update an ITSM incident with a checklist and evidence
Integrations note:
- Use Autom Mate libraries where available (e.g., ITSM + comms integrations are explicitly part otioning).
- For identity actions not covered by a library, use REST/HTTP actions against Microsoft Graph / Entra endpoints (only where your team has documented API permissions and runbooks).
5) Logging & auditability
- Write a structured “flight recorder” log per run:
- trigger payload hash
- validation decision + rule hits
- approver identity + timestamp
- every action executed + API response
- Store run artifacts and link them back into the ITSM ticket.
Autom Mate supports monitoring/log visibility and audit logs as core platform capa Exception handling + rollback
- If any step fails (API throttling, permission error, partial revocation):
- automatically branch into an error-handling path
- notify SecOps in Teams/Slack
- create a “manual intervention required” task in ITSM
- rollback reversible steps (e.g., re-enable a temporarily blocked policy) when safe
Autom Mate has explicit error handling/exception management patterns (log, alert, retry).
Two Mini example 1: “User reported a vishing call”
- Trigger: ITSM ticket tagged
vishing-device-code - Validation: user confirms they read a device code to caller
- Approval: SecOps approves Phase 1 only
- Execution: revoke sessions + open incident + push user instructions via Teams
- Outcome: contained without tenant-wide policy changes
Mini example 2: “SIEM sees device-code sign-in from new geo”
- Trigger: SIEM webhook with sign-in anomaly
- Validation: impossible travel + unfamiliar device
- Approval: Identity team approves Phase 1 + Phase 2
- Execution: revoke tokens + review/revoke suspicious OAuth grants + document actions in ITSM
- Outcome: deterministic containment + auditable evidence trail
Why this belongs in Platform (13)
This isn’t a single “use case template” as much as a repeatable orchestration pattern:
- two-phase actions (reversible → irreversible)
- approvals that prevent AI/automation overreach
- evidence-first logging for post-incident proof
Discussion questions
- Do you run device-code containment as a single hyperflow, or split it into “contain” and “eradicate” flows with separate approvals?
- What’s your minimum evidence threshold before you revoke grants / disable flows org-wide?