Analysis Summary
# Tool/Technique: Device Code Phishing
## Overview
Device code phishing is a sophisticated social engineering technique that abuses the legitimate "Device Code Flow" (OAuth 2.0) designed for devices with limited input capabilities (e.g., smart TVs, IoT devices). Attackers trick users into authenticating a malicious application on their behalf by entering a legitimate-looking code into a real Microsoft authentication portal, allowing the threat actor to bypass Multi-Factor Authentication (MFA) and gain account access via a token.
## Technical Details
- **Type:** Technique / Phishing Frameworks
- **Platform:** Microsoft 365 (M365), Azure AD / Entra ID
- **Capabilities:** MFA bypass, token theft, persistent account access without needing the user's password directly.
- **First Seen:** Actively tracked in large-scale campaigns as of September/October 2024.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1528 - Steal Application Access Token]
- **[TA0005 - Defense Evasion]**
- [T1550.001 - Use Alternate Authentication Material: Application Access Token]
## Functionality
### Core Capabilities
- **Social Engineering:** Uses hyperlinked text or QR codes to direct users to a landing page.
- **Protocol Abuse:** Leverages the `https[:]//microsoft[.]com/devicelogin` workflow to generate a code that the user "authorizes" for the attacker.
- **Legitimate Infrastructure:** Because the final authentication happens on a real Microsoft domain, traditional link-scanning and domain-reputation tools may fail to flag the final step.
### Advanced Features
- **SquarePhish2 / Graphish:** Specialized phishing kits that automate the generation of device codes and the presentation of phishing pages to the victim.
- **AitM Capabilities:** The Graphish kit uses reverse proxy setups to facilitate Adversary-in-the-Middle (AitM) attacks.
- **Azure App Registration:** Attackers leverage malicious or compromised Azure app registrations to appear legitimate during the consent process.
## Indicators of Compromise
*Note: Specific file hashes and registry keys are often absent in cloud-based phishing; focus is on behavioral and network triggers.*
- **File Names:** `SquarePhish2`, `Graphish` (referenced kits).
- **Network Indicators:**
- `microsoft[.]com/devicelogin` (Legitimate site, but suspicious when high volume originates from unmanaged devices).
- Phishing domains used by TA2723 (Not explicitly listed in the brief, but typically masquerade as IT support).
- **Behavioral Indicators:**
- Unexpected "Sign in to [Application Name]" prompts for unknown Azure applications.
- Creation of new OAuth tokens from unusual geographic locations.
- Device code flow initiated from a workstation/browser rather than a CLI or IoT device.
## Associated Threat Actors
- **UNK_AcademicFlare:** A Russia-aligned group targeting governments and military organizations.
- **TA2723:** A criminal actor selling device code phishing tools on underground forums.
- **Storm-2372:** A group identified by Microsoft as using this specific technique.
## Detection Methods
- **Behavioral Detection:** Monitor Azure AD / Entra ID sign-in logs for `Authentication Protocol: Device Code`. Flag instances where this protocol is used by standard user accounts instead of known service accounts.
- **Log Analysis:** Look for "Add OAuth2PermissionGrant" events in M365 Audit logs associated with suspicious or third-party applications.
- **Conditional Access Monitoring:** Review logs for successful logins that bypass MFA via token injection following a device code exchange.
## Mitigation Strategies
- **Policy Enforcement:** Disable the Device Code Flow globally in Entra ID if it is not required for your business operations.
- **Conditional Access:** Implement strict Conditional Access policies that require "Managed Devices" or "Compliant Devices" for sensitive resources.
- **User Education:** Train users to never enter a 6-to-8 character "Device Code" into a website unless they balance that action with an intentional sign-in on a device they physically control (like a TV or Printer).
- **Application Governance:** Restrict the ability of users to consent to third-party applications.
## Related Tools/Techniques
- **OAuth Consent Phishing:** Similar technique where users authorize a malicious app via a standard OAuth window.
- **Adversary-in-the-Middle (AitM):** Often used in conjunction with these kits to capture session cookies.
- **EvilProxy / Mamba2:** Alternative frameworks for capturing M365 sessions.