Home » Technology » Microsoft » Difficult to detect: Phishing campaign uses Microsoft infrastructure

Difficult to detect: Phishing campaign uses Microsoft infrastructure

Security researchers have analyzed a phishing campaign in which attackers exploit Microsoft’s Device Authorization Grant to gain access to user accounts. Attention alone doesn’t help much here.

Real Microsoft URLs in use

The method is particularly treacherous because the actual code is entered on a legitimate Microsoft site, thereby partially bypassing classic indications of phishing attacks. The Device Code Flow, a component of the OAuth 2.0 standard, is affected. The process was developed for devices with limited input options, such as smart TVs, printers or IoT systems.

Instead of entering a user name and password directly on the device, users authenticate themselves via a separate device and confirm a one-time generated code. After Declarations from the security company Kaspersky, researchers observed a campaign between April and May that began with deceptively realistic emails. These posed as communications from a law firm and contained password-protected PDF documents. Within the files, recipients were asked to access supposedly provided documents through a service called “LawConnect.”

The further attack path uses a combination of legitimate Microsoft URLs and redirect mechanisms. Although the link displayed initially pointed to an official Microsoft login page, the victims were redirected to a website controlled by the attackers. After several CAPTCHA queries, you will receive a device code and instructions to enter it on a real Microsoft page.

Technically speaking, those affected are authorizing an application that was previously registered by the attackers. Since the Device Code is already associated with this application, after successful confirmation it receives a valid access token for the victim’s account. The perpetrators can then access emails, profile data or other cloud resources, depending on the permissions granted.

Pay attention to parameters

Kaspersky recommends that users always critically examine device code requests. If you do not log in on an external device, the corresponding authorization should not be confirmed. The researchers also warn against so-called open redirects on trustworthy domains. Parameters such as “redirect_uri”, “return_url” or “next” can be used to redirect users to malicious destinations unnoticed.

Companies should consider whether Device Code Flow is even necessary in their environment. If not, Kaspersky recommends deactivating it via conditional access policies in Microsoft Entra ID. In addition, the experts recommend monitoring DeviceCodeSignIn events, strict enforcement of compliance requirements for end devices, and alerts for logins from unusual regions or other conspicuous sign-in patterns.

Leave a Reply