Device Code Phishing
Was ist Device Code Phishing?
Device Code PhishingAn identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.
Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.
● Beispiele
- 01
A Storm-2372 operator messages a target on Teams, claims to be from IT, and asks them to verify access by entering a code at microsoft.com/devicelogin — granting the attacker an access token to the victim's mailbox and Teams.
- 02
An Entra ID Conditional Access policy blocks the device-code flow entirely for all users except a specific group of CLI users.
● Häufige Fragen
Was ist Device Code Phishing?
An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account. Es gehört zur Kategorie Angriffe und Bedrohungen der Cybersicherheit.
Was bedeutet Device Code Phishing?
An identity attack that abuses the OAuth 2.0 device authorization grant: the attacker starts a device-code flow and lures the victim into typing the resulting code on a legitimate login page, granting the attacker tokens for the victim's account.
Wie funktioniert Device Code Phishing?
Device code phishing weaponizes the RFC 8628 OAuth 2.0 device authorization grant, the same flow used by smart TVs, IoT devices, and CLI tools (Azure CLI, `az login --use-device-code`). The attacker initiates the flow against the target identity provider (typically Microsoft Entra ID), receiving a short user_code and a verification URL such as `https://microsoft.com/devicelogin`. They then send the victim a convincing message — meeting invite, IT-helpdesk request, support ticket — asking them to 'verify access' by visiting the (entirely legitimate) URL and entering the code. The victim authenticates with their real credentials and MFA, and the IdP issues tokens to the attacker's session, not the victim's device. Microsoft began throttling and warning on this flow in 2023–2024 and made device-code disable-by-default in some contexts in 2024 after Storm-2372 and Midnight Blizzard campaigns. Mitigations include disabling device code in Conditional Access for users who never need it, restricting it to specific managed clients, and educating users that no legitimate IT process requires them to type a code from an unsolicited message.
Wie schützt man sich gegen Device Code Phishing?
Schutzmaßnahmen gegen Device Code Phishing kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Device Code Phishing?
Übliche alternative Bezeichnungen: Device authorization phishing, Storm-2372 technique.
● Verwandte Begriffe
- attacks№ 917
Phishing
Ein Social-Engineering-Angriff, bei dem sich der Angreifer als vertrauenswürdige Stelle ausgibt, um Opfer zur Preisgabe von Zugangsdaten, Geldüberweisungen oder zur Ausführung von Schadsoftware zu verleiten.
- identity-access№ 839
OAuth 2.0
Offenes Autorisierungs-Framework, mit dem ein Ressourceninhaber einer Drittanwendung beschränkten, scoped Zugriff auf eine API gewähren kann, ohne Zugangsdaten preiszugeben.
- attacks№ 840
OAuth Consent Phishing
An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.
- attacks№ 011
Konto-Uebernahme (ATO)
Angriff, bei dem ein Krimineller unautorisierte Kontrolle ueber ein legitimes Nutzerkonto erlangt, um Geld, Daten zu entwenden oder weiteren Betrug zu begehen.
- attacks№ 1182
Social Engineering
Psychologische Manipulation, mit der Menschen zu Handlungen oder zur Preisgabe vertraulicher Informationen bewegt werden, von denen ein Angreifer profitiert.
- attacks№ 1191
Spear-Phishing
Gezielter Phishing-Angriff, der auf eine bestimmte Person oder Organisation zugeschnitten ist und vorab recherchierte persönliche oder berufliche Details nutzt.