Full Report
With contributions from Cris Tomboc.
Analysis Summary
This summary deconstructs the threat intelligence report regarding the surge in OAuth Device Code Flow phishing campaigns.
# Tool/Technique: OAuth Device Code Phishing
## Overview
Device code phishing is a sophisticated social engineering technique that abuses Microsoft’s legitimate "Device Code" authentication flow. Unlike traditional phishing that steals passwords, this method tricks victims into authorizing a new device (the attacker's) by entering a short code on a legitimate Microsoft login page. This results in the attacker receiving OAuth access and refresh tokens, effectively bypassing Multi-Factor Authentication (MFA) and eliminating the need for credentials.
## Technical Details
- **Type:** Technique / Phishing-as-a-Service (PaaS)
- **Platform:** Microsoft 365 / Azure AD (Entra ID)
- **Capabilities:** Token theft, MFA bypass, persistent access via refresh tokens.
- **First Seen:** Historically documented, but peaked in May 2026 as a commodity service.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.002 - Phishing: Spearphishing Link]**
- **[TA0006 - Credential Access]**
- **[T1528 - Steal Application Access Token]**
- **[TA0003 - Persistence]**
- **[T1136.003 - Create Account: Cloud Account]**
- **[TA0005 - Defense Evasion]**
- **[T1550.001 - Use Alternate Authentication Material: Application Access Token]**
## Functionality
### Core Capabilities
- **Token Acquisition:** Initiates a request to `microsoft.com/devicelogin` to generate a user code.
- **Lure Hosting:** Displays the code on a "Lure Website" to convince the user to input it into the legitimate Microsoft portal.
- **MFA Bypass:** Because the victim completes the MFA prompt on their own trusted device/browser, the resulting token granted to the attacker is already authenticated.
### Advanced Features
- **PaaS Integration:** Distribution via kits like **EvilTokens**, **Kali365**, **Ghost Hub**, and **Cyb3r**.
- **Evasion Chains:** Use of password-protected PDFs, QR codes, and multi-stage redirects through legitimate platforms to avoid email gateways.
- **AiTM Integration:** Adoption by established kits like **Tycoon2FA**.
## Indicators of Compromise
- **URL Patterns:** Links leading to `microsoft.com/devicelogin` following an intermediary redirect.
- **Phishing Kit Names:** EvilTokens, Kali365, Ghost Hub, Cyb3r.
- **Network Indicators:**
- `microsoft[.]com/devicelogin` (Legitimate site abused in the flow)
- `login[.]microsoftonline[.]com` (Legitimate site abused in the flow)
- [Note: Specific malicious C2 domains vary by campaign and should be monitored via URLScan.io strings.]
## Associated Threat Actors
- **Cybercriminals/PaaS Providers:** Operators of EvilTokens and Kali365.
- **Tycoon2FA Operators:** Known for Adversary-in-the-Middle (AiTM) attacks.
## Detection Methods
- **Behavioral Detection:** Monitor Azure AD (Entra ID) sign-in logs for `Authentication Protocol: Device Code`.
- **Anomalies:** Flag sign-ins where the "User Agent" or "Initial Request" originates from a suspicious IP (Attacker) while the "Approval" originates from a known user IP.
- **Log Analysis:** Search for successful OAuth token applications involving unusual device names or locations.
## Mitigation Strategies
- **Conditional Access:** Strictly restrict or disable the Device Code Flow (Policy: "Grant" -> "Block Access" for Device Code Flow) unless specifically required for IoT/headless devices.
- **Trusted Devices:** Require "Compliant Device" or "Hybrid Azure AD Joined" status in Conditional Access policies to prevent unauthorized devices from receiving tokens.
- **User Education:** Train users to never enter a code at `microsoft.com/devicelogin` unless they are manually setting up a smart TV or a printer.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM):** Similar outcome (MFA bypass) but uses proxying instead of the device flow.
- **EvilProxy:** A prominent AiTM kit.
- **Token Theft:** A broader category of attacks targeting session or OAuth tokens.