{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/outlook-web-application/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Active Directory","Exchange","Outlook Web Application"],"_cs_severities":["high"],"_cs_tags":["azuread","devicecode","phishing","accounttakeover","credentialaccess"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly using Device Code Phishing to bypass Multi-Factor Authentication (MFA) and Conditional Access Policies in Azure Active Directory. This technique involves tricking users into entering a device code on a fake Microsoft login page, granting the attacker access to their accounts. This attack leverages the legitimate device code authentication flow, making it harder to detect than traditional phishing attacks. Successful device code phishing can lead to account takeover, data breaches, and unauthorized access to sensitive resources within the Azure AD environment, including Exchange mailboxes and Outlook Web Application (OWA). Defenders need to monitor for unusual device code authentication activity to mitigate the risk of these attacks. The technique abuses the OAuth 2.0 device authorization grant flow, designed for devices without a browser.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the target user. This email contains a link to a fake Microsoft login page.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link and is prompted to enter a code. The attacker initiates a device code authentication flow on a compromised or attacker-controlled device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a device code and presents it to the victim through the phishing page.\u003c/li\u003e\n\u003cli\u003eThe user enters the device code on the fake Microsoft login page, unknowingly authorizing the attacker's device.\u003c/li\u003e\n\u003cli\u003eThe attacker's device requests an access token from Azure AD using the device code.\u003c/li\u003e\n\u003cli\u003eAzure AD validates the device code and, if valid, prompts the user (via the legitimate Microsoft authentication flow, but on the attacker's device) to authenticate and grant permissions.\u003c/li\u003e\n\u003cli\u003eThe user authenticates and grants the requested permissions, completing the device code authentication flow on the attacker's device.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains an access token and can now access the user's Azure AD resources, such as Exchange mailboxes and OWA, without needing to bypass MFA on their primary device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Azure AD device code phishing attacks can result in account takeovers, data breaches, and unauthorized access to sensitive resources. Attackers can gain access to Exchange mailboxes, Outlook Web Application (OWA), and other Azure AD-protected applications. The impact can range from data exfiltration and business email compromise to lateral movement within the Azure environment. This can lead to significant financial losses, reputational damage, and compliance violations. The number of victims and sectors targeted can vary, but the potential for widespread impact is high, especially in organizations with weak security awareness training.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure AD Device Code Authentication Activity\u003c/code\u003e to detect suspicious device code authentication requests in Azure AD SignInLogs.\u003c/li\u003e\n\u003cli\u003eImplement enhanced security awareness training to educate users about device code phishing attacks and how to identify fake login pages.\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD SignInLogs for unusual authentication patterns, such as device code authentications from unfamiliar locations or devices.\u003c/li\u003e\n\u003cli\u003eConfigure Conditional Access Policies to restrict device code authentication to trusted devices and locations.\u003c/li\u003e\n\u003cli\u003eReview and harden Conditional Access Policies to prevent bypasses via device code authentication, referencing the Microsoft documentation on device code flows: \u003ca href=\"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code\"\u003ehttps://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEnable logging of Azure AD sign-in events and ensure that logs are ingested into a SIEM or security analytics platform for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/","summary":"This brief details the detection of Azure AD Device Code Phishing attacks, where attackers bypass MFA and Conditional Access Policies (CAPs) to gain unauthorized access to Azure AD resources by abusing the device code authentication protocol.","title":"Azure AD Device Code Phishing Attack Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-azure-ad-device-code-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Outlook Web Application","version":"https://jsonfeed.org/version/1.1"}