"Victims think the message is legitimate, because the login page is legitimate, so enter the code. But unknown to the victim, it's actually the code for a device controlled by the threat actor. What the victim has done is issued an OAuth token granting the hacker's device access to their Microsoft account. From there, the hacker has access to everything the account allows the employee to use."
"It works because certain sites, including Microsoft 365, use the OAuth 2.0 Device Authorization Grant process to allow the adding of devices to an account. It's similar to the way a home owner adds a smart TV to Netflix. KnowBe4 calls it a novel attack, although Johannes Ullrich, dean of research at the SANS Institute, called it "old new." According to Trend Micro, a threat actor dubbed Pawn Storm has been leveraging OAuth in phishing campaigns since as far back as 2015."
A device-code phishing campaign abuses OAuth device registration to bypass multifactor authentication protections. The campaign targets North American businesses and professionals via emails containing lures and a 'Secure Authorization' code that leads to a real Microsoft Office 365 login page. When recipients enter the code, they register a device controlled by the attacker and issue OAuth access and refresh tokens. The attacker gains persistent access to Microsoft accounts and associated services such as Outlook, Teams, and OneDrive without relying on credential theft. The attack exploits the OAuth 2.0 Device Authorization Grant flow and echoes prior OAuth-based phishing techniques.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]