Device Code Phishing

Dynamic device code phishing is an advanced form of phishing where attackers exploit the device authorization flow typically used for IoT devices and smart devices. By manipulating this flow, attackers trick users into granting them access tokens under the guise of legitimate requests. This method exploits users' unfamiliarity with the authorization process on certain devices, making it a potent threat.

TokenTactics

Using TokenTactic for device code phishing.

Import-Module .\TokenTactics.psd1
Get-AzureToken -Client MSGraph

Once the user has logged in, you'll be presented with the JWT and it will be saved in the $response variable. To access the access token use $response.access_token from your PowerShell window to display the token. You may also display the refresh token with $response.refresh_token. Hint: You'll want the refresh token to keep refreshing to new access tokens! By default, Get-AzureToken results are logged to TokenLog.log.

GitHub - rvrsh3ll/TokenTactics: Azure JWT Token Manipulation ToolsetGitHub

GraphRunner

Import-Module .\GraphRunner.ps1
Get-GraphTokens

GitHub - dafthack/GraphRunner: A Post-exploitation Toolset for Interacting with the Microsoft Graph APIGitHub

GraphSpy

# Run GraphSpy on http://192.168.0.10
graphspy -i 192.168.0.10 -p 80

GitHub - RedByte1337/GraphSpy: Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUIGitHub

Dynamic Device Code Phishing

For more detailed insights on cybersecurity tactics such as dynamic device code phishing, you can explore the comprehensive article by Black Hills Information Security. Their research provides valuable information on the mechanisms and mitigation strategies for such phishing attacks.

Dynamic Device Code Phishing - Black Hills Information SecurityBlack Hills Information Security

PreviousInitial Access NextFamily-Of-Client-Ids - FOCI

Last updated 1 month ago