TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Device Code Phishing in Google Cloud and Azure | Huntress

2025-02-06 · Read original ↗

ATT&CK techniques detected

23 predictions
T1528Steal Application Access Token
96%
"token can be used to call the graph api and read the user ’ s emails, look at their calendar, read their files, and many other things as specified in the scope of the token : while the family of client ids is fascinating, it ’ s largely outside the scope of this blog post. but th…"
T1528Steal Application Access Token
95%
"token endpoint, which handles request and response for generating authentication tokens. once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the oauth token api endpoint and can be retrieved by providing the correct device…"
T1566.002Spearphishing Link
90%
"this attack uses the legitimate authentication flow instead of exploiting some vulnerability or bug. the entire phishing context stays on legitimate microsoft infrastructure, using legitimate microsoft apis, to perform the legitimate ( if not hijacked ) device code authentication…"
T1528Steal Application Access Token
86%
"id to the microsoft authentication broker ( 29d9ed98 - a469 - 4536 - ade2 - f981bc1d605e ). the token generated from successfully phishing a victim with these parameters is the most powerful kind of token in the azure oauth token schema. this token can be used, among other things…"
T1525Implant Internal Image
81%
"##s. as always, a great place to start is the developer documentation. and right away, it becomes clear that we ’ re going to be fighting an uphill battle : the documentation clearly states that not all scopes are supported by the device code flow. but hackers never give up hope,…"
T1111Multi-Factor Authentication Interception
81%
". if hackers are good at anything, it ’ s finding niche features like the device code flow and pivoting this one - off authentication method into a vector of initial access. so let ’ s talk about phishing with device codes! device code phishing in microsoft 365 phishing by exploi…"
T1528Steal Application Access Token
77%
"as the attacker, get to use a legitimate microsoft url for your phishing attack. finally ( and most importantly ), the attacker controls the specific type of resource and token that ' s generated due to this attack. in the example above, the attacker creates a device code that is…"
T1525Implant Internal Image
68%
"in to their email and other resources, and other incredibly powerful types of access. and in google, we can use the gdrive file permission scope to * checks notes * “ see, edit, create, and delete only the specific google drive files you use with this app. ” before we ’ ve even s…"
T1528Steal Application Access Token
65%
"ecosystem. at worst, it can be used to steal the most powerful kind of token that exists. but recall that the device code authentication flow isn ' t an azure - specific mechanism. rather, azure implements device code flow as a method of authentication. the device code flow speci…"
T1528Steal Application Access Token
64%
"the code. - victim obliges and goes to the completely legitimate device code login page where they input the device code, their username and password, and their mfa code. and then … nothing happens, at least from the victim ’ s perspective … - … but the attacker has been monitori…"
T1111Multi-Factor Authentication Interception
61%
"sent this phish with a convincing pretext, so the victim browses to https : / / microsoft. com / devicelogin and enters the provided code, duly ignoring the warning about inputting codes from untrusted sources … the page then prompts the victim for a username and password … … and…"
T1528Steal Application Access Token
52%
"… where : - the requested url is azure ’ s common device code authentication api endpoint. - the client _ id parameter is the guid of the requesting client ( pay attention to this ; it will be important later ). - the resource parameter is the requested resource. in this case, we…"
T1525Implant Internal Image
50%
"the code. - victim obliges and goes to the completely legitimate device code login page where they input the device code, their username and password, and their mfa code. and then … nothing happens, at least from the victim ’ s perspective … - … but the attacker has been monitori…"
T1528Steal Application Access Token
50%
"google workspace application and configure it to use oauth 2. 0. so if you were hoping for some semblance of anonymity while carrying out the attack, you can throw that out the window. even if you go through the trouble of building an oauth app within google, there are still othe…"
T1111Multi-Factor Authentication Interception
50%
"… where : - the requested url is azure ’ s common device code authentication api endpoint. - the client _ id parameter is the guid of the requesting client ( pay attention to this ; it will be important later ). - the resource parameter is the requested resource. in this case, we…"
T1528Steal Application Access Token
48%
"sent this phish with a convincing pretext, so the victim browses to https : / / microsoft. com / devicelogin and enters the provided code, duly ignoring the warning about inputting codes from untrusted sources … the page then prompts the victim for a username and password … … and…"
T1528Steal Application Access Token
48%
"device code phishing in google cloud and azure | huntress come along with me on a journey as we delve into the swirling, echoing madness of identity attacks. today i present a case study on how different implementations of oauth 2. 0, the core authentication schema used in most i…"
T1525Implant Internal Image
43%
"the azure device code phish attack : once the victim punches in their credentials, we get an access token and refresh token! but good luck using either to gain initial access given the limited scope. important note : i ’ ve really only scratched the surface of the attack surface …"
T1525Implant Internal Image
41%
"that would probably use the device code authentication flow are smart tvs ( the documentation even specifies this in the title! “ oauth 2. 0 for tv and limited - input device applications ” ). it ’ s not hard to imagine that the kinds of accesses a tv would need center on enterta…"
T1525Implant Internal Image
37%
"ecosystem. at worst, it can be used to steal the most powerful kind of token that exists. but recall that the device code authentication flow isn ' t an azure - specific mechanism. rather, azure implements device code flow as a method of authentication. the device code flow speci…"
T1111Multi-Factor Authentication Interception
34%
"device code phishing in google cloud and azure | huntress come along with me on a journey as we delve into the swirling, echoing madness of identity attacks. today i present a case study on how different implementations of oauth 2. 0, the core authentication schema used in most i…"
T1525Implant Internal Image
34%
"google workspace application and configure it to use oauth 2. 0. so if you were hoping for some semblance of anonymity while carrying out the attack, you can throw that out the window. even if you go through the trouble of building an oauth app within google, there are still othe…"
T1528Steal Application Access Token
30%
"the azure device code phish attack : once the victim punches in their credentials, we get an access token and refresh token! but good luck using either to gain initial access given the limited scope. important note : i ’ ve really only scratched the surface of the attack surface …"

Summary

All OAuth 2.0 implementations are equal. Some are just more equal than others. This blog covers device code phishing and compares OAuth implementations between Google and Azure. Does OAuth implementation impact the efficacy of hacker tradecraft? Find out here!