<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Oauth-Phishing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/oauth-phishing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 May 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/oauth-phishing/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID OAuth Phishing via Auth Broker to DRS</title><link>https://feed.craftedsignal.io/briefs/2024-05-entra-oauth-phishing/</link><pubDate>Fri, 03 May 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-entra-oauth-phishing/</guid><description>Detection of OAuth phishing in Microsoft Entra ID through Microsoft Authentication Broker (MAB) and Device Registration Service (DRS) indicated by the same user principal and session ID originating from multiple IP addresses within a short timeframe, indicative of unauthorized token acquisition.</description><content:encoded><![CDATA[<p>This threat involves attackers conducting OAuth phishing campaigns targeting Microsoft Entra ID users. The attackers craft legitimate Microsoft login URLs to trick users into authenticating, thereby obtaining authorization codes. These codes are then exchanged for access and refresh tokens, allowing the attackers to gain unauthorized access to the user's resources. The Microsoft Authentication Broker (MAB) is used as the client application, and the Device Registration Service (DRS) is the target resource. The activity is characterized by the same user principal and session ID being observed across multiple IP addresses within a 5-minute window. This activity was observed starting in early 2025. The scope of this threat includes any organization utilizing Microsoft Entra ID and the MAB for device registration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a phishing email containing a malicious link that leads to a fake Microsoft login page.</li>
<li>The victim clicks the link and is prompted to enter their credentials, unknowingly providing them to the attacker.</li>
<li>The attacker uses the stolen credentials to initiate an OAuth authorization flow via the Microsoft Authentication Broker (MAB) with the Device Registration Service (DRS) as the target.</li>
<li>The legitimate Microsoft login page redirects the user and returns an authorization code to the attacker-controlled application.</li>
<li>The attacker exchanges the authorization code for access and refresh tokens, gaining unauthorized access to the user's Entra ID resources.</li>
<li>The attacker uses the access token to enumerate devices registered to the user via Microsoft Graph.</li>
<li>The attacker uses the refresh token to maintain persistent access to the user's resources, even after the initial session expires.</li>
<li>The attacker leverages access to DRS to potentially manipulate device registrations and further compromise the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful OAuth phishing can lead to unauthorized access to sensitive data and resources within the targeted organization. An attacker with valid access and refresh tokens can impersonate the user, potentially leading to data exfiltration, privilege escalation, and lateral movement within the network. Organizations utilizing Microsoft Entra ID are susceptible, with observed campaigns targeting Microsoft 365 OAuth workflows as reported by Volexity in April 2025.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and configure the Microsoft Entra ID Sign-In Logs integration to collect sign-in logs, as the detection rule relies on this data source (rule configuration).</li>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious OAuth flows involving MAB and DRS based on multiple IP addresses (rule: &quot;Entra ID OAuth Flow from Multiple IPs&quot;).</li>
<li>Review Conditional Access policies for the Microsoft Authentication Broker (app ID: <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code>) to enforce MFA and device trust (reference: note section in rule definition).</li>
<li>Monitor network connections for anomalous traffic originating from IPs associated with suspicious OAuth flows (rule: &quot;Entra ID OAuth Flow from Multiple IPs - Network Connection&quot;).</li>
<li>Block access to known phishing domains and URLs used in OAuth phishing campaigns to prevent initial access (IOC: <code>https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/</code>).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>entra-id</category><category>oauth-phishing</category><category>initial-access</category></item></channel></rss>