In business email compromise (BEC) scams, threat actors can bypass multi-factor authentication (MFA) by abusing OAuth applications. These “illicit consent” attacks typically involve the threat actors using phishing to convince a victim to grant sensitive permissions (e.g., the ability to read and write email) to an attacker-controlled Azure application. One variation on this attack leverages the OAuth interactive device authorization protocol to imitate legitimate (and possibly verified) OAuth applications during the user consent experience. This approach does not require the threat actor to register a malicious OAuth application, making it challenging for defenders to detect and audit.
Abusing OAuth2.0 Device Authorization
Reports of high-profile BEC incidents and takedowns of threat actors conducting sophisticated phishing campaigns that used COVID-19 (also known as coronavirus) themes highlight the need to detect and prevent OAuth-based threats. In parallel with other research teams, Secureworks® researchers identified a novel phishing technique that abuses the OAuth2.0 Device Authorization Grant protocol (RFC 8628) to obtain illicit consent.
The OAuth 2.0 Device Authorization Grant allows a user to authenticate an application to an OAuth provider from a different device. This authentication flow was created to facilitate authorization of a dev ..
Support the originator by clicking the read the rest link below.
