Full Report
Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]
Analysis Summary
# Tool/Technique: OAuth 2.0 Device Code Phishing
## Overview
Device code phishing is an exploitation technique that abuses the **OAuth 2.0 Device Authorization Grant** flow. Originally designed for "input-constrained" devices (like Smart TVs or IoT devices) that lack a keyboard, the flow allows a user to authorize a device by entering a short code on a separate, secondary device (like a smartphone or PC).
In a phishing context, attackers trigger a code request and trick victims into entering that code at the legitimate `microsoft.com/devicelogin` (or similar) portal. Once the victim enters the code and authenticates, the attacker’s infrastructure receives the access and refresh tokens, effectively hijacking the account without needing to bypass MFA via proxy typically seen in Adversary-in-the-Middle (AiTM) attacks.
## Technical Details
- **Type**: Technique / Phishing-as-a-Service (PhaaS)
- **Platform**: Cross-platform (specifically targeting SaaS environments like Microsoft 365, Azure/Entra ID, Google, and Adobe)
- **Capabilities**: Session hijacking, token theft, MFA bypass (by design), persistence via refresh tokens.
- **First Seen**: Documented in 2020; surge in widespread adoption observed in 2024-2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- **[TA0004 - Privilege Escalation]**
- [T1548.003 - Abuse Authorization Mechanism]
- **[TA0003 - Persistence]**
- [T1136.003 - Create Account: Cloud Account] (via stolen session)
## Functionality
### Core Capabilities
- **Token Generation**: Generates a valid `user_code` and `device_code` from the target service provider.
- **Lure Presence**: Displays highly realistic branding (DocuSign, Microsoft 365, Adobe, HR portals) to convince users to input the code.
- **Session Hijacking**: Automatically captures access and refresh tokens once the victim authorizes the code on a legitimate domain.
- **MFA Bypass**: Because the victim logs into the *legitimate* service provider site to enter the code, they satisfy MFA requirements themselves, which then grants the attacker a valid session.
### Advanced Features
- **Anti-Bot Gating**: Kits like **CLURE** and **LINKID** use Cloudflare challenges or custom anti-bot gates to hide from security scanners.
- **Cloud Hosting Abuse**: Kits are hosted on reputable platforms like GitHub Pages, AWS S3, Microsoft PowerApps, and Cloudflare Workers (`workers[.]dev`) to avoid reputation-based blocking.
- **Automated API Interaction**: Kits use node-based backends or rotating API endpoints to handle the polling of tokens in real-time.
## Indicators of Compromise
### Network Indicators
*Note: Indicators are defanged.*
- **Phishing Platforms**:
- `workers[.]dev` (Commonly used by AUTHOV, DOCUPOLL, and FLOW_TOKEN)
- `digitalocean[.]com` (Backend infrastructure for CLURE)
- `s3[.]amazonaws[.]com` (Hosting for PAPRIKA)
- **Common Phishing Lure Keywords**:
- `devicelogin`
- `microsoft-secure-access`
- `docusign-contract-signature`
- `citrix-sharefile-transfer`
### Behavioral Indicators
- Logins originating from User Agents associated with "Command Line" or "IoT" devices (e.g., `CURL`, `Python-requests`) from unusual IP addresses.
- Concurrent sessions for a single user from geographically disparate locations (the victim's IP and the attacker's server IP).
- Audit logs showing `Sign-in category: Device code flow`.
## Associated Threat Actors
- **EvilTokens**: The primary PhaaS platform democratizing this technique.
- **State-sponsored Actors**: APTs (e.g., Midnight Blizzard/NOBELIUM) have historically used device code flows for stealthy persistence.
- **Financially Motivated Actors**: Groups utilizing kits such as **VENOM**, **CLURE**, and **LINKID**.
## Specialized Phishing Kits
1. **VENOM**: Closed-source PhaaS; clone of EvilTokens.
2. **SHAREFILE**: Mimics Citrix document transfers.
3. **CLURE**: Uses SharePoint lures and anti-bot gates.
4. **LINKID**: Uses Cloudflare challenges and Teams/Adobe lures.
5. **DOCUPOLL**: Mimics DocuSign workflows via GitHub Pages.
6. **PAPRIKA**: AWS S3-hosted with Office 365 and fake Okta footers.
## Detection Methods
- **Behavioral Detection**: Monitor Microsoft Entra ID (Azure AD) logs for the `IdentityServiceAppId` representing the "Microsoft Office" or "Cross-platform" application requesting device codes.
- **Log Analysis**: Look for `Sign-in activity` where the `Authentication Protocol` is `deviceCode`.
- **Anomalous App Usage**: Flag instances where the "Microsoft Broker" or "Microsoft Command Line" apps are authorized by non-technical users.
## Mitigation Strategies
- **Conditional Access Policies**: Explicitly disable or restrict the "Device Code Flow" using Conditional Access (CA) policies in Entra ID/M365 for users who do not require it.
- **Device Filtering**: Only allow device code flows from "Compliant" or "Hybrid Joined" devices.
- **User Education**: Train users to never enter a 4-8 digit code into a website unless they manually initiated the request from a device they own (e.g., a TV).
- **Restricted Flows**: Limit the Device Authorization Grant to specific IP ranges (e.g., corporate offices).
## Related Tools/Techniques
- **AiTM (Adversary-in-the-Middle)**: Similar goal of stealing session cookies, but uses a proxy instead of the device code flow.
- **EvilProxy / Tycoon 2FA**: PhaaS kits that typically use AiTM but are increasingly incorporating device code modules.
- **OAuth App Consent Phishing**: Tricking users into granting permissions to a malicious third-party application.