Full Report
The OAuth 2.0 Device Authorization Grant specification was designed to streamline authentication for Smart TVs, IoT devices, and printers. Today, threat actors are weaponizing it.
Analysis Summary
# Tool/Technique: OAuth 2.0 Device Authorization Grant Phishing (Device Code Phishing)
## Overview
This attack technique weaponizes the OAuth 2.0 Device Authorization Grant flow (RFC 8628), originally designed for devices with limited input capabilities (like Smart TVs or IoT devices). In this scheme, threat actors trick users into entering a malicious "Device Code" on a legitimate Microsoft authentication page. This allows the attacker to bypass Multi-Factor Authentication (MFA) and obtain an access token to the victim's cloud environment without ever possessing the user's password.
## Technical Details
- **Type:** Technique / Social Engineering
- **Platform:** Cloud Services (specifically Azure AD/Microsoft Entra ID, Google, GitHub)
- **Capabilities:** MFA Bypass, Token Theft, Session Hijacking
- **First Seen:** Usage increased significantly around 2021-2022; documented as a rising trend in recent threat reports.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- **[TA0005 - Defense Evasion]**
- [T1550.004 - Use Alternate Authentication Material: Web Session Cookie]
## Functionality
### Core Capabilities
- **Legitimate Infrastructure:** The attack utilizes the official Microsoft login site (`microsoft[.]com/devicelogin`), making it difficult for users to identify as a scam.
- **MFA Bypass:** Because the victim performs the authentication on their own trusted device, any MFA requirements are satisfied by the victim, after which the access token is issued to the attacker’s "remote device."
- **Passwordless Entry:** The attacker does not need to know or harvest the victim's password to gain entry to the account.
### Advanced Features
- **Phish-Resistant MFA Circumvention:** Unlike standard phishing, this technique can bypass FIDO2/WebAuthn hardware keys because the victim is interacting with the legitimate service provider, not a proxy site.
- **Automated Token Refresh:** Once the attacker receives the initial token, they can often use refresh tokens to maintain long-term persistence without further user interaction.
## Indicators of Compromise
- **File Hashes:** N/A (Generally fileless/web-based)
- **Network Indicators:**
- `login[.]microsoftonline[.]com` (Legitimate traffic used maliciously)
- `microsoft[.]com/devicelogin` (Legitimate traffic used maliciously)
- `graph[.]microsoft[.]com` (Abused for data exfiltration post-compromise)
- **Behavioral Indicators:**
- **Sign-in Logs:** Successful logins with an "Application ID" associated with powerful CLI tools (e.g., Microsoft Office, Azure Identity, or PnP Management Shell) from unexpected IP addresses.
- **Device Type:** Authentication requests appearing as "Cross-platform" or "Linux" when the organization primarily uses Windows/macOS.
- **Authentication Method:** Logs showing "Device Code Authentication" for users who do not use IoT or non-browser devices.
## Associated Threat Actors
- **LAPSUS$**
- **Midnight Blizzard (APT29 / Nobelium)**
- **Various IABs (Initial Access Brokers)**
## Detection Methods
- **Log Analysis:** Monitor Entra ID (Azure AD) Sign-in logs for `Authentication Method: Device Code`.
- **User Agent Monitoring:** Look for suspicious or incongruous User Agents associated with the Device Code flow.
- **Conditional Access Gaps:** Audit for logins that bypass typical location-based or device-compliance policies using this grant type.
- **Proactive Hunting:** Search for specific Client IDs famously used in these attacks, such as the Microsoft Office (d3196456-30b1-4f93-96b6-724131551D9B) or Azure PowerShell IDs.
## Mitigation Strategies
- **Disable the Flow:** Disable the Device Code Flow globally if your organization does not use IoT devices or Smart TVs that requires it.
- **Conditional Access:** Implement policies that restrict the Device Authorization Grant to specific IP ranges or require compliant/managed devices.
- **User Education:** Train users to never enter codes into the `/devicelogin` page unless they explicitly initiated a login on a secondary device they physically own.
- **Least Privilege:** Limit the scopes and permissions that third-party applications can request.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM):** Phishing that proxies traffic to steal session cookies.
- **Token Theft:** General category of stealing authenticated session material.
- **O365-Stealer:** Frameworks designed to automate the extraction of data from 365 environments.