{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oauth-phishing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft Authentication Broker","Device Registration Service","Microsoft 365"],"_cs_severities":["high"],"_cs_tags":["entra-id","oauth-phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves attackers conducting OAuth phishing campaigns targeting Microsoft Entra ID users. The attackers craft legitimate Microsoft login URLs to trick users into authenticating, thereby obtaining authorization codes. These codes are then exchanged for access and refresh tokens, allowing the attackers to gain unauthorized access to the user's resources. The Microsoft Authentication Broker (MAB) is used as the client application, and the Device Registration Service (DRS) is the target resource. The activity is characterized by the same user principal and session ID being observed across multiple IP addresses within a 5-minute window. This activity was observed starting in early 2025. The scope of this threat includes any organization utilizing Microsoft Entra ID and the MAB for device registration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a phishing email containing a malicious link that leads to a fake Microsoft login page.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link and is prompted to enter their credentials, unknowingly providing them to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to initiate an OAuth authorization flow via the Microsoft Authentication Broker (MAB) with the Device Registration Service (DRS) as the target.\u003c/li\u003e\n\u003cli\u003eThe legitimate Microsoft login page redirects the user and returns an authorization code to the attacker-controlled application.\u003c/li\u003e\n\u003cli\u003eThe attacker exchanges the authorization code for access and refresh tokens, gaining unauthorized access to the user's Entra ID resources.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to enumerate devices registered to the user via Microsoft Graph.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the refresh token to maintain persistent access to the user's resources, even after the initial session expires.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages access to DRS to potentially manipulate device registrations and further compromise the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful OAuth phishing can lead to unauthorized access to sensitive data and resources within the targeted organization. An attacker with valid access and refresh tokens can impersonate the user, potentially leading to data exfiltration, privilege escalation, and lateral movement within the network. Organizations utilizing Microsoft Entra ID are susceptible, with observed campaigns targeting Microsoft 365 OAuth workflows as reported by Volexity in April 2025.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and configure the Microsoft Entra ID Sign-In Logs integration to collect sign-in logs, as the detection rule relies on this data source (rule configuration).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious OAuth flows involving MAB and DRS based on multiple IP addresses (rule: \u0026quot;Entra ID OAuth Flow from Multiple IPs\u0026quot;).\u003c/li\u003e\n\u003cli\u003eReview Conditional Access policies for the Microsoft Authentication Broker (app ID: \u003ccode\u003e29d9ed98-a469-4536-ade2-f981bc1d605e\u003c/code\u003e) to enforce MFA and device trust (reference: note section in rule definition).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for anomalous traffic originating from IPs associated with suspicious OAuth flows (rule: \u0026quot;Entra ID OAuth Flow from Multiple IPs - Network Connection\u0026quot;).\u003c/li\u003e\n\u003cli\u003eBlock access to known phishing domains and URLs used in OAuth phishing campaigns to prevent initial access (IOC: \u003ccode\u003ehttps://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:30:00Z","date_published":"2024-05-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-entra-oauth-phishing/","summary":"Detection of OAuth phishing in Microsoft Entra ID through Microsoft Authentication Broker (MAB) and Device Registration Service (DRS) indicated by the same user principal and session ID originating from multiple IP addresses within a short timeframe, indicative of unauthorized token acquisition.","title":"Entra ID OAuth Phishing via Auth Broker to DRS","url":"https://feed.craftedsignal.io/briefs/2024-05-entra-oauth-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Oauth-Phishing","version":"https://jsonfeed.org/version/1.1"}