Attackers are targeting Microsoft 365 users with device code authorization phishing, a technique that fools users into approving access tokens, Proofpoint warns.
The method abuses Microsoft’s OAuth 2.0 device authorization grant flow by presenting users with device codes that, when entered, inadvertently grant attackers control of enterprise accounts.
This trend reflects a broader shift away from basic password theft toward abusing modern authentication flows to bypass multi-factor authentication protection.
The campaigns and the tools used by the attackers
The campaigns, perpetrated by both state-aligned and financially-motivated threat actors, usually start with an email, sent either from attacker-controlled or compromised email addresses,
The lure can be anything that push targets to click on a link or scan a QR code.
In two of the campaigns Proofpoint has spotted, the attackers chose to pique the recipient’s interested with salary-themed notifications. In another campaign, the initial lure was a benign “conversation starter” email from a compromised Zambian government email address to an individual working for a US university.
In all cases, the users are instructed to request a one-time passcode or copy one that has been provided to them, and to enter it into the legitimate Microsoft device authorization page (at https://microsoft.com/devicelogin) and sign into their M365 account.
The instructions, on an attacker-controlled website with a domain that shows the targeted company branding. (Source: Proofpoint)
Unfortunately, users who are not familiar with this authentication flaw may not realize that they’ve thus allowed the attackers to access and take control of their M365 account.
“While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters,” the threat researchers pointed out.
Attackers are using red team tools such as Squarephish and SquarephishV2 to mitigate the short-lived nature of device codes, enabling larger campaigns than were previously possible.
They are also using Graphish, a phishing kit that is being shared in hacking forums for free, and allows them to create convincing phishing pages by leveraging Azure App Registrations and reverse proxy setups for adversary-in-the-middle (AiTM) attacks, hosted on attacker-controlled infrastructure.
“The attack requires the actor to own a domain name and register an SSL certificate, to enhance the credibility of the phishing site. By registering an application in Azure and extracting the client ID, the attacker can initiate OAuth-based phishing attempts that prompt users to grant access to their Microsoft accounts,” the researchers explained.
“For targeting enterprise environments, the tool includes guidance on bypassing organizational restrictions by verifying the malicious app with Azure, which increases its success rate against accounts. Similar to Squarephish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns.”
Protection against device code phishing attacks
Employees should be taught to recognize this type of attacks, but companies can also put in place other defenses.
“The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report only mode, or the ‘Policy impact’ viewed over historic sign in log records, to determine the impact for an environment,” Proofpoint advises.
“If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases. For example, only enabling device code authentication for approved users, operating systems, or IP ranges such as using ‘Named locations’.”
Also, if the organization uses device registration or Intune, they can set up Conditional Access policies requiring that Microsoft 365 sign-ins originate from a compliant or registered device.
“Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls,” the researchers concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!