Skip to content

idacyber1/devicecode-phishing-analysis

Repository files navigation

Microsoft Device-Code Phishing — Campaign Analysis

A defender-focused writeup of a real-world Microsoft 365 device-code phishing campaign (OAuth 2.0 Device Authorization Grant abuse) — a fake "shared document" that never asks for a password and still takes over an account, straight past MFA.

Disclaimer

This repository is published solely for education, awareness, and defensive security — to help defenders and users recognize and stop this class of attack.

  • Provided "as is," without warranty of any kind. You are solely responsible for how you use this material.
  • All indicators here are defanged (hxxps://, [.]), and no live malware or credential-harvesting code is included. Do not re-fang, reconstruct, or visit the infrastructure except from an isolated, attributable analysis environment.
  • Do not use this material to conduct or facilitate unauthorized access, intrusion, or any unlawful activity. Only act on systems you are authorized to test, and comply with all applicable laws.
  • Victim-identifying details have been redacted. The compromised website referenced was an innocent, hacked third party, not the attacker.
  • This is not legal or professional security advice. Views are the author's own and do not represent any employer or organization.

Contents

  • DeviceCode-Phishing-Awareness-Article.md — the narrative walkthrough: how device-code phishing works, stage by stage, why it defeats MFA, and how to defend. Written for a broad audience.
  • ANALYSIS.md — the technical companion: full attack chain, proof-of-life capture, infrastructure assessment, MITRE ATT&CK mapping, Entra ID hunting, and response checklist.
  • attack-path.svg — attack-path diagram.
  • screenshots/ — annotated captures of the live gate, the decrypted lure, the anti-analysis defenses, and the genuine Microsoft device-login page.

The one rule that breaks the chain

Opening a shared document never requires you to copy a code and type it into a Microsoft sign-in screen. If any page or email hands you a code to "verify your identity" or "continue to Microsoft," stop, close it, and report it. For IT: a Conditional Access Authentication Flows policy that blocks the device-code flow where it isn't needed neutralizes this entire technique class.

License

Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). You're free to share and adapt with attribution.

About

Defender-focused analysis of a Microsoft 365 device-code phishing campaign (OAuth device-authorization abuse, MFA-bypassing) - defanged IOCs, Entra hunting, no live samples.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors