EXECUTIVE SUMMARY
Device code phishing is an increasingly popular threat tactic used by cyber actors to compromise enterprise email accounts and steal sensitive information. This technique exploits legitimate authentication flows to bypass modern security controls, making it a challenging threat for organizations to mitigate. Threat actors use various tools, including phishing-as-a-service (PhaaS) options like EvilTokens, to create and distribute device code phishing campaigns. These campaigns often leverage "account takeover jumping," a technique where an attacker compromises an initial email account and uses it to send phishing links to a wide set of contacts. The surge in device code phishing coincides with the emergence of publicly released criminal toolkits and PhaaS offerings, which have lowered the barriers to entry for cyber actors.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Device code phishing is an increasingly popular threat tactic used by cyber actors to compromise enterprise email accounts and steal sensitive information. This technique exploits legitimate authentication flows to bypass modern security controls, making it a challenging threat for organizations to mitigate. Threat actors use various tools, including phishing-as-a-service (PhaaS) options like EvilTokens, to create and distribute device code phishing campaigns. These campaigns often leverage "account takeover jumping," a technique where an attacker compromises an initial email account and uses it to send phishing links to a wide set of contacts. The surge in device code phishing coincides with the emergence of publicly released criminal toolkits and PhaaS offerings, which have lowered the barriers to entry for cyber actors.[emaillocker id="1283"]
Device code phishing attacks work by delivering a URL in various ways, such as embedded behind a button, as hyperlinked text, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process. The current device code landscape contains a major difference that's increased the popularity of this technique: on-demand code generation. This allows the user to view the email at any time to kickstart the attack chain, making it a more effective and convenient tactic for cyber actors. Device code phishing is a significant threat to organizations, as successful attacks can lead to full account takeover, theft of sensitive information, fraud, and business email compromise.
The technique is not limited to English-speakers and has been observed in multiple languages targeting organizations globally. While AI has lowered barriers to entry and accelerated development, it has simultaneously introduced exploitable weaknesses through OpSec failures and poor implementation. The good news is that defense against device code phishing remains the same, regardless of the kit being used or method of delivery. Organizations can mitigate this threat by creating a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Additionally, enhancing user awareness regarding device code phishing attacks is crucial, as traditional phishing awareness often emphasizes checking URLs for legitimacy, which is not effective against device code phishing.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Credential Access | T1528 | Steal Application Access Token | — |
| Initial Access | T1078.001 | Valid Accounts | Default Accounts |
| Credential Access | T1212 | Exploitation for Credential Access | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-oauth-device-authorization-flow/
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover