AI-Powered Phishing Campaign Exploits OAuth Flaw for Account Takeover
Cybersecurity Researchers Discover Sophisticated Phishing Campaign Exploiting OAuth Flow for Account Takeover
Cybersecurity researchers have discovered a sophisticated phishing campaign that leverages the OAuth Device Code Authentication flow to compromise organizational accounts at scale.
The Campaign Uses AI-Assisted Infrastructure and End-to-End Automation
This campaign, enabled by artificial intelligence (AI)-assisted infrastructure and end-to-end automation, bypasses the standard 15-minute expiration window through automation and dynamic code generation.
The OAuth Device Code Authentication Flow is Exploited
The OAuth Device Code Authentication flow was originally designed for devices unable to support a standard interactive login. However, attackers exploit this method by decoupling authentication from the originating session, allowing users unknowingly to authorize the attacker’s session and grant access to the account without exposing credentials.
Threat Actors Initiate the Reconnaissance Phase Before Launching the Phishing Attempt
Threat actors initiate the reconnaissance phase 10 to 15 days prior to launching the phishing attempt, verifying whether the targeted account exists and is active within the tenant.
The Attack Process Involves a Multi-Stage Delivery Pipeline
The attack involves a multi-stage delivery pipeline to circumvent gateways and endpoint security.
Sophisticated Techniques are Used to Bypass Security Measures
The attackers employ domain shadowing and brand-impersonating subdomains to bypass reputation-based filters.
The Victim is Redirected to the Official Login Portal
Upon successful exploitation, a “Verify identity” button and a device code are displayed, prompting users to enter their addresses to facilitate the generation of a malicious device code.
The Attacker Obtains a Valid Access Token Associated with the User’s Account
The script automates the authentication process, copying the generated device code and entering it into the official login page. If a session is already active, pasting the code and confirming the request authenticates the attacker’s session in the background.
Following the Breach, the Attacker’s Activity Progresses to Device Registration and Microsoft Graph Reconnaissance
Following the breach, the attacker’s activity progresses to device registration and Microsoft Graph reconnaissance, including filtering compromised users and selecting targets.
This Research Highlights the Importance of Vigilance in Protecting Against Advanced Threats
This research highlights the importance of vigilance in protecting against advanced threats and the need for continuous monitoring of authentication processes to prevent unauthorized access to sensitive accounts.