A new generation of cyberattacks is moving beyond simple credential theft toward Session and Token Hijacking. By abusing the OAuth 2.0 Device Authorization Grant (RFC 8628), threat actors are bypassing traditional MFA and Phishing protections. This attack doesn't steal your password; it steals your identity's "keys" while you perform a legitimate login on a trusted Microsoft domain.
The Core Vulnerability: Device Code Flow Misuse
The Device Code Flow was designed for input-constrained devices (like Smart TVs or CLI tools) that cannot easily render a browser.
The Protocol Logic
The standard flow follows this path:$$Client \rightarrow Device\ Authorization\ Endpoint \rightarrow User\ Code \rightarrow User\ Auth \rightarrow Access\ Token$$
The Security Gap
The critical flaw lies in the decoupling of the authentication session. The user authenticates independently of the client requesting the token. Because there is no browser session binding the victim to the attacker’s machine, the attacker can initiate the flow and simply wait for the victim to "authorize" it.
Technical Attack Chain: Step-by-Step
AI-Enhanced Reconnaissance
Attackers use LLMs to automate reconnaissance. By hitting the GetCredentialType endpoint, they validate targets before ever sending an email.
- Endpoint: https://login.microsoftonline.com/common/GetCredentialType
Goal: Confirm account existence and identify federated tenants to ensure a high Return on Investment (ROI).
Social Engineering & Evasion
Using AI, attackers generate hyper-personalized, role-based phishing content (e.g., HR onboarding docs for new hires). To bypass URL filters, they host their redirectors on legitimate serverless infrastructure:Platforms: Vercel, Cloudflare Pages, AWS Lambda.
Tactic: Multi-hop redirects and domain cloaking to hide the malicious backend.
The "Just-in-Time" Device Code Injection
Unlike older attacks that used static codes, modern "Phishing-as-a-Service" (PhaaS) like EvilTokens generates codes dynamically.
Trigger: The moment a victim clicks the phishing link, the attacker's backend sends a POST request to /devicecode.
Payload:
JSON
{
"client_id": "ATTACKER_APP_ID",
"scope": "openid profile offline_access",
"verification_uri": "https://microsoft.com/devicelogin"
}
Delivery: The victim is shown a legitimate Microsoft login page. Since the domain is microsoft.com, traditional "look-alike domain" detectors fail.
The Polling Loop (Token Harvesting)
While the victim logs in, the attacker’s script runs a polling loop to catch the token the moment authentication is complete:
Python
while True:
response = requests.post(token_endpoint, data=polling_payload)
if "access_token" in response:
store_tokens(response.json())
break
time.sleep(3) # Rapid polling for near-instant hijacking
Post-Exploitation: Living off the Graph
Once the access_token and refresh_token are secured, the attacker has full API access via Microsoft Graph.
Persistence: Registering a new managed device to generate a Primary Refresh Token (PRT), allowing long-term access even if the user changes their password.
Exfiltration: Silently creating inbox rules to forward emails containing keywords like "Invoice" or "Payment" to an external attacker-controlled address.
Why Traditional Defenses Fail
The effectiveness of this attack lies in its ability to operate within the boundaries of legitimate authentication traffic. Rather than trying to steal a secret, the attacker tricks the user into performing a valid action on the attacker's behalf.
Multi-Factor Authentication (MFA)
The user completes the MFA challenge themselves on the official Microsoft portal. Because the authentication happens on a real, trusted session, the attacker receives a fully validated token without ever needing to see or bypass the MFA prompt.
Password Monitoring
This method does not actually steal credentials. Since the user enters their password directly into the genuine Microsoft site, "leaked password" databases and local password-sharing protections are never triggered. There is no "stolen password" to detect.
URL Filtering
Most web filters and email gateways are configured to trust microsoft.com implicitly. Because the final destination of the phishing link is a legitimate, high-reputation domain, the attack often bypasses automated security scanners that look for "look-alike" or malicious domains.
Engineering-Level Mitigations
Detection Engineering (KQL)
Security teams should monitor Azure AD Sign-in logs for anomalies in the deviceCode protocol.
Code snippet
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| where AppId !in (Your_Trusted_App_IDs)
| summarize count() by UserPrincipalName, AppId, IPAddress
Strategic Hardening
Conditional Access (CA): Restrict Device Code Flow to specific, trusted IP ranges or compliant devices.
Continuous Access Evaluation (CAE): Enable CAE to revoke tokens in real-time if a risk is detected.
Disable the Flow: If your organization does not use CLI tools or smart devices that require this flow, disable it entirely via the Authentication Methods policy in Entra ID.
Conclusion
The shift from Credential Theft to Token Hijacking represents a significant leap in attacker maturity. As AI continues to automate the "human" element of phishing, developers must move toward a Zero Trust architecture where no OAuth flow is considered safe by default. Trust the protocol, but verify the context.
Top comments (0)