Threat Research

Go With the Flow: Abusing OAuth Device Code Flow

LevelBlue-spiderlabs
Go With the Flow: Abusing OAuth Device Code Flow
LevelBlue’s Global Threat Operations identified a phishing campaign that abuses Microsoft’s OAuth 2.0 Device Authorization Grant (Device Code Flow) using a fake Adobe-themed site and compromised redirection infrastructure to obtain access and refresh tokens. The report documents the attack chain, key indicators such as hxxps://adobe.safest.org/ and Mandrill-based redirects, detection KQL queries, and recommendations including blocking Device Code Flow in Conditional Access Policies #Microsoft #DeviceCodeFlow

Keypoints

  • LevelBlue GTO discovered a novel phishing vector that leverages the OAuth 2.0 Device Code Flow to obtain delegated access tokens and refresh tokens.
  • Phishing emails used Mailchimp/Mandrill links with Base64-encoded payloads to hide final malicious destinations and bypass initial mail security controls.
  • Attack infrastructure included a compromised redirect endpoint on ppsrq[.]org that accepted authenticated Base64Url(HMAC-SHA256(json_payload | secret)).Base64Url(json_payload) parameters.
  • The phishing site dynamically requests a device code from Microsoft, displays the user_code to the victim, and polls for authorization status to obtain tokens without exposing direct Microsoft requests to the user.
  • Successful authorization grants persistent delegated access (including refresh tokens) enabling actions via Microsoft Graph such as managing users/groups, Teams messages, Outlook messages, and SharePoint content.
  • Mitigations include blocking Device Code Flow via Conditional Access Policies, monitoring sign-in logs for AuthenticationProtocol == “deviceCode”, hunting for device-login URLs, and revoking user sessions on confirmed compromise.

MITRE Techniques

  • [T1566 ] Phishing – Attackers delivered malicious links via email and a fake Adobe site to trick users into authorizing OAuth device codes (‘suspicious URL, which was detected within an email message’).
  • [T1204 ] User Execution – The campaign relies on the victim entering the provided device code and completing the authorization flow to enable account compromise (‘Entering the delivered device code and fulfilling the authorization request would eventually compromise the user’s account’).
  • [T1078 ] Valid Accounts – Obtained access and refresh tokens are used as valid credentials to access tenant resources and perform actions on behalf of the user (‘compromise the user’s account and grant the threat actor access and (most likely) refresh tokens’).
  • [T1583 ] Acquire Infrastructure – The adversary used or abused third-party infrastructure (Mailchimp/Mandrill) and a compromised redirect endpoint (pps rq[.]org) to host and deliver phishing content and redirects (‘Mailchimp’s Mandrill (Mandrillapp.com) links … the complete URL is hidden in a Base64-encoded parameter’ and ‘it is suspected that either the secret or the entire server was compromised’).

Indicators of Compromise

  • [URL/Domain ] Phishing destination and redirect infrastructure – hxxps://adobe.safest.org/, ppsrq[.]org (redirect endpoint ppsrq[.]org/so/3dPniokM8/c)
  • [Service / OAuth Endpoints ] Device authorization endpoints referenced for detection/hunting – microsoft.com/devicelogin, login.microsoftonline.com/common/oauth2/deviceauth
  • [Application Client ID ] Client identifier used in device code requests – 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (Microsoft Azure CLI example)
  • [File Name ] Lure displayed to victims on phishing page – important_update.pdf

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/go-with-the-flow-abusing-oauth-device-code-flow