Full Report
Think passkeys make you phishing-proof? Think again. Attackers are using downgrade attacks, device-code phishing, and OAuth tricks to sneak past modern MFA. See how Push Security shuts them down. [...]
Analysis Summary
# Tool/Technique: Attacker-in-the-Middle (AitM) Phishing Kits / Downgrade Attacks
## Overview
This refers to the use of reverse-proxy phishing kits, specifically those capable of Attacker-in-the-Middle (AitM) functionality, to intercept user sessions and bypass multi-factor authentication (MFA), particularly targeting passwordless FIDO2-based authenticators (passkeys) by forcing a downgrade to less secure methods.
## Technical Details
- Type: Tool / Technique
- Platform: Web/SaaS Applications (Targeting authentication flows)
- Capabilities: Session interception and modification, MFA prompt manipulation.
- First Seen: Ongoing evolution; AitM kits are the standard choice for modern phishing, with downgrade capabilities being an adaptation against passkeys.
## MITRE ATT&CK Mapping
The primary mechanism described here maps to methods used in credential harvesting and session interception:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less direct, but related to initial delivery)
- T1566.002 - Spearphishing Link (Most relevant for AitM kits)
- **T1557 - Man-in-the-Middle** (Implied by the core function of AitM proxy)
- T1557.001 - Man-in-the-Middle (Network Sniffing) (Approximation of the proxy relay)
## Functionality
### Core Capabilities
- **Session Interception:** The phishing website acts as a proxy, relaying messages between the user and the legitimate website after the user enters credentials.
- **MFA Downgrade:** Modifying the legitimate service's MFA prompt presented to the user to disable or hide the option for phishing-resistant methods (like passkeys) and force the selection of a weaker backup method (e.g., authenticator codes).
- **Authentication Relay:** Successfully completing the login process by relaying the necessary authentication information (including the weakened MFA response) back to the real site.
### Advanced Features
- **Bypassing Passkeys:** Exploiting the presence of less secure backup MFA methods registered on an account to achieve full compromise, even when phishing-resistant MFA is configured.
- **SSO Manipulation:** Selecting backup username/password options when an account defaults to Single Sign-On (SSO).
- **Tool Examples:** Evilginx is cited as a commodity kit capable of executing these downgrades with custom phishlets.
## Indicators of Compromise
(Not explicitly provided for the general technique, but related to the tools used)
- File Hashes: [N/A for the technique itself]
- File Names: [Phishlets/configuration files tailored for specific services (e.g., Microsoft accounts)]
- Registry Keys: [N/A]
- Network Indicators: [Traffic flowing through a known malicious AitM proxy domain before reaching the legitimate service]
- Behavioral Indicators: Abnormal session initiation sequences where MFA prompts are modified or skipped entirely in favor of secondary methods.
## Associated Threat Actors
- General cybercriminals leveraging commodity phishing kits.
- Actors using tools like Evilginx.
## Detection Methods
- Signature-based detection: Detecting known AitM infrastructure domains or signature patterns in proxy responses.
- Behavioral detection: Monitoring for unexpected sequences in MFA challenges presented to users. Highlighting instances where a user authenticates using a non-passkey method immediately following a passkey-enabled login attempt.
- YARA rules: [N/A for the network technique]
## Mitigation Strategies
- **Passkey Enforcement:** Configuring services to strictly require passkeys and remove *all* backup, less secure MFA methods (SMS, OTP apps).
- **Conditional Access Policies:** Implementing stringent policies that block or challenge logins originating from untrusted sources or those that fail specific security checks, despite observed limitations in CA templates mentioned in the context.
- **Identity Auditing:** Regularly auditing application and identity sprawl to ensure all services adhere to strong MFA standards.
## Related Tools/Techniques
- Reverse-proxy phishing kits (e.g., Evilginx, Muraena, Modlishka)
- Device Code Phishing
- Consent Phishing
---
# Tool/Technique: Device Code Phishing
## Overview
A technique leveraging alternative authentication flows, often used for devices lacking full web browser capabilities, by tricking a victim into entering a unique device code provided by the attacker into a legitimate authorization webpage.
## Technical Details
- Type: Technique
- Platform: Cross-device authentication flows (e.g., connecting a console or smart device to a service like M365).
- Capabilities: Bypassing typical browser-based phishing defenses by legitimizing the authentication context via a user action on a trusted URL.
- First Seen: Observed in recent campaigns against M365 accounts, notably by Russia-sponsored actors.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Used to deliver the initial device code instruction)
- **T1555 - Credentials from Data Stores** (If this leads to credential harvesting, though the main focus is token/session compromise)
## Functionality
### Core Capabilities
- **Code Generation/Supply:** The adversary generates or obtains a unique device code.
- **Instruction:** The victim is tricked into visiting a legitimate authentication endpoint on a separate device.
- **Authorization:** The victim enters the adversary-supplied code, authorizing the attacker's device or session token.
### Advanced Features
- **Legitimate URL Utilization:** The attack gains credibility because the final authorization step occurs on the *real* domain, reducing suspicion compared to a fraudulent webpage.
- **App Impersonation:** Verified applications can sometimes be impersonated within this flow.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: User activity showing a successful login tied to an unrecognized or new device following input of a supplied device code.
## Associated Threat Actors
- Russia-sponsored threat actors (observed in M365 targeting).
## Detection Methods
- Behavioral detection: Monitoring authentication logs for session creation immediately following the use of a device code enrollment flow, especially if the IP or device context is unusual.
- Monitoring for anomalous use of device authorization endpoints.
## Mitigation Strategies
- **Restrict Device Flows:** Implement Conditional Access policies to restrict or tightly control which applications/devices can utilize device code flows, especially for high-value accounts.
- **User Education:** Training users to be skeptical of instructions requiring them to visit a legitimate site to input a code provided outside of that official process.
## Related Tools/Techniques
- OAuth 2.0 abuse flows.
---
# Tool/Technique: Consent Phishing (OAuth Abuse)
## Overview
A long-standing technique that abuses the OAuth (Open Authorization) protocol by tricking users into granting malicious third-party applications broad permissions to access sensitive data or perform actions on their behalf within SaaS environments like Microsoft Azure or Google Workspace.
## Technical Details
- Type: Technique
- Platform: SaaS applications utilizing OAuth 2.0/API permissions (e.g., Microsoft 365, Google Workspace, GitHub, Jira).
- Capabilities: Gaining persistent access tokens that bypass traditional MFA and survive password changes.
- First Seen: One of the first techniques added to the SaaS attacks matrix; currently seeing a recent uptick.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Used to present the malicious consent screen)
- **T1513 - OAuth Active Directory** (Conceptual mapping based on abuse of identity services)
## Functionality
### Core Capabilities
- **Malicious App Registration:** Adversaries register an application that requests excessive or malicious permissions.
- **Consent Elicitation:** Phishing the user to click a link and authorize the application's requested permissions.
- **Persistent Access:** Once authorized, the attacker receives an access token, maintaining a backdoor.
### Advanced Features
- **SaaS Sprawl Exploitation:** Targeting niche SaaS APIs (like those for GitHub or Jira) that may have less stringent central oversight than primary identity providers.
- **Bypassing MFA:** The token obtained from consent authorization typically bypasses subsequent attempts at MFA enforcement for that specific resource access.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A]
- Behavioral Indicators: New, unknown, or excessively permissioned OAuth applications being registered or accessing resources within the tenant.
## Associated Threat Actors
- Various actors targeting identity and SaaS tenants.
## Detection Methods
- Signature-based detection: Monitoring for known malicious application names or identifiers if associated with prior attacks.
- Behavioral detection: Auditing the permissions requested by newly authorized applications.
- **Vulnerability Management:** Proactively identifying "ghost logins," identity sprawl, and unauthorized OAuth integrations.
## Mitigation Strategies
- **OAuth Governance:** Establishing strict governance and auditing over OAuth application registrations.
- **Least Privilege Principle:** Limiting the permissions requested by third-party applications.
- **MFA/Conditional Access Review:** Ensuring Conditional Access policies are configured to audit or prevent access granted via newly consented applications if they pose a risk.
## Related Tools/Techniques
- Adversary-controlled application registration.