Inside an AI-enabled device code phishing campaign

MITRE Techniques

• [T1566 ] Phishing – Use of deceptive, role-targeted emails and lures to direct users to threat actor-controlled pages (‘The threat actor distributes deceptive emails to the intended victims, utilizing a wide array of themes like invoices, RFPs, or shared files.’).
• [T1566.002 ] Spearphishing Link – Embedded direct URLs and multi-stage redirect chains through compromised legitimate domains and serverless platforms to deliver the phishing flow (‘the threat actor does not link directly to the final phishing site. Instead, they use a series of redirects through compromised legitimate domains and high-reputation “Serverless” platforms.’).
• [T1583 ] Acquire Infrastructure – Use of legitimate PaaS and serverless platforms (Railway.com, Vercel, Cloudflare Workers, AWS Lambda) to host short-lived infrastructure and avoid detection (‘Threat actors used automation platforms like Railway.com to spin up thousands of unique, short-lived polling nodes.’).
• [T1059 ] Command and Scripting Interpreter – Use of client-side and backend scripts (JavaScript/Node.js) to generate device codes, poll status, and perform clipboard hijacking (‘When a user clicks the malicious link, they are directed to a web page running a background automation script.’).
• [T1204 ] User Execution – Victim interaction required (clicking links, pasting device codes) to complete the device code authentication handoff (‘When a user clicks the malicious link, they are directed to a web page… the code is then displayed on the user’s screen along with a button that redirects them to the official microsoft.com/devicelogin portal.’).
• [T1036 ] Masquerading – Domain shadowing and brand-impersonating subdomains to bypass reputation filters (‘domain shadowing and brand-impersonating subdomains to bypass reputation filters. Several domains were designed to impersonate technical or administrative services (e.g., graph-microsoft[.]com, portal-azure[.]com, office365-login[.]com)’).
• [T1078 ] Valid Accounts – Acquisition and use of valid access and refresh tokens via the device code flow to access accounts without credentials (‘The threat actor’s server now possesses a live Access Token for the targeted user’s account, bypassing MFA by design, due to the use of the alternative Device Code flow.’).
• [T1087 ] Account Discovery – Microsoft Graph reconnaissance to map organizational structure and permissions after token acquisition (‘Using Microsoft Graph reconnaissance, the threat actor programmatically mapped internal organizational structures and identify sensitive permissions the moment a token was secured.’).
• [T1114 ] Email Collection – Exfiltration of email data and creation of malicious inbox rules to persist and forward high-value communications (’email exfiltration and account persistence through Inbox rules created using Microsoft Office Application.’).
• [T1098 ] Account Manipulation – Post-compromise actions such as registering devices to generate Primary Refresh Tokens and creating inbox rules to maintain long-term access (‘within 10 minutes of the breach, threat actor’s registered new devices to generate a Primary Refresh Token (PRT) for long-term persistence… creating malicious inbox rules’).