Microsoft Entra ID is increasingly targeted through OAuth token abuse and Device Code Phishing, enabling attackers to gain stealthy access to cloud resources without passwords or MFA. Organizations must detect suspicious consent grants and strengthen defenses. (Affected: Microsoft Entra ID, Cloud Services, Microsoft 365)
Keypoints :
- Microsoft Entra ID tokens are targeted via OAuth application abuse and Device Code Phishing.
- Attackers exploit legitimate Microsoft authentication flows to steal access tokens without needing passwords or MFA.
- OAuth phishing involves rogue apps requesting broad permissions via user consent, handing attackers long-lasting access tokens.
- Device Code Phishing tricks victims into entering a code on Microsoft’s real login page while attackers poll for tokens silently.
- These attacks bypass traditional security checks, making them difficult to detect and block.
- Detection focuses on monitoring suspicious consent grants, unusual redirect URIs, and anomalous sign-in patterns.
- MITRE ATT&CK v17 explicitly includes OAuth token abuse as a growing attack vector.
- Defenses include conditional access policies, blocking device code flows, and enabling Continuous Access Evaluation (CAE).
- Admin consent workflow limits user consent to apps, reducing permission abuse risks.
- User training, advanced logging, and integration with SIEM systems improve threat detection and response.
MITRE Techniques :
- OAuth Token Abuse (T1078.006) – Adversaries exploit OAuth authorization flows to obtain access tokens that provide access to cloud resources without credentials or MFA prompts.
- Phishing for Information (T1566) – Attackers use social engineering (device code phishing, OAuth consent phishing) to trick users into giving application consent or entering authentication codes.
- Application Layer Protocol (T1071) – Use of OAuth 2.0 authorization endpoints and Microsoft’s legitimate login infrastructure to carry out token theft and session hijack.
- Valid Accounts (T1078) – Attackers obtain valid access tokens tied to victims’ accounts, enabling persistent and stealthy access.
- Credential Access via OAuth Applications (T1698) – Registering rogue OAuth apps to request excessive permissions and intercept tokens upon user consent.
Indicator of Compromise :
- The article highlights monitoring logs for suspicious application consent events where unauthorized apps request broad permissions (e.g., Mail.Read, Files.ReadWrite.All).
- Redirect URIs pointing to attacker-controlled domains can indicate OAuth token interception.
- Unusual values in the request_type field like Consent:Set or Cmsi:Cmsi in sign-in logs may signal malicious OAuth or device code flow abuse.
- Examples include client IDs of rogue OAuth apps, phishing URLs crafted to mimic Microsoft login endpoints, and device codes used during device code phishing campaigns.
- Polling activity at Microsoft’s token endpoint concurrent with user entry of device codes is a behavioral IOC indicating token theft in progress.
Read more: https://www.logpoint.com/en/blog/emerging-threats/how-oauth-and-device-code-flows-get-abused/
Views: 19