attacking-oauth-with-device-code-phishing

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to download and install security research tools from public repositories and registries.
  • Fetches the TokenTactics PowerShell module from GitHub: https://github.com/rvrsh3ll/TokenTactics.git.
  • Installs the roadtools and roadtools_auth packages from the standard Python Package Index (PyPI).
  • [COMMAND_EXECUTION]: The workflow relies on executing shell commands and scripts to interact with identity providers.
  • Uses curl to send POST requests to Microsoft's OAuth 2.0 device-code and token endpoints.
  • Runs a custom Python script (agent.py) and PowerShell commands (Get-AzureToken, Invoke-RefreshTo...) to automate token polling and exchange.
  • [DATA_EXFILTRATION]: The skill's primary objective is the capture and storage of identity tokens for security testing purposes.
  • Captures access_token and refresh_token data from Entra ID and saves them to local files (tokens.json, tokens_refreshed.json).
  • Demonstrates replaying these tokens to exfiltrate data from Microsoft 365 services such as Outlook via the Graph API.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 10:11 PM
Security Audit — agent-trust-hub — attacking-oauth-with-device-code-phishing