A couple weeks ago, I explored Device Code Phishing with a friend, and we decided to make a video about it. It's a new format of video and topic as I rarely cover the cloud, so we'd appreciate if you let us know what you think about it.
Links:
- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
- https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
- https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html
- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html
- https://aadinternals.com/post/phishing/#new-phishing-technique-device-code-authentication
- https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758
00:00 - Showing the Storm-2372 Article
03:27 - Talking about phishing attacks starting out of band
04:40 - Bringing my friend on (oodie), slides talking about some good blog posts about this attack
06:40 - Talking about the history of the attack, when it began
07:23 - Some talk about the oauth device authorization grant
08:30 - Microsoft is on top of this
10:20 - Showing Azure CLI and AZ Powershell can perform device code logins, which aren't hacking tools
11:00 - Talking about how Device Code Logins work from a protocol level
12:50 - Performing the attack, using token tactics to start the device login process and create the phishing email
14:38 - Showing the attack from the victim perspective, so you can see how easy it is to fall for this phishing attack
15:55 - Back to the attacker, using the Token with AADInternals to get information about the organization like dumping users
17:45 - Converting the token to an Outlook one, then searching the mailbox from command line
19:20 - Converting the token to something we can use with the online portal, so we can use the web browser to interact with office 365
22:00 - Looking at the Sign-in logs and filtering by Device Code Authentications
24:10 - Showing Sentinel showing the CMSI (Check My Sign-In) which is another indicator
25:35 - Showing Sentinel querying emails, can see the metadata bout emails including all links within the email
26:55 - Creating a policy to block device code login
Support the originator by clicking the read the rest link below.
