O365DevicePhish
Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack
This is a simple proof-of-concept script that allows an attacker to conduct a phishing attack against Microsoft 365 OAuth Authorization Flow. Using this, one can connect to Microsoft's OAuth API endpoints to create user_code and device_code and obtain victim user's access_token upon successfult phishing attack. Then, the token can be used to access various Office365 products via Microsoft Graph API on behalf of the victim user. In addition, this script was created to help a specific situation where a target organization was utilizaing an Email OTP (One-time Passcode) for their MFA option; thus, with a successful phishing attack, one could read a generated Email OTP code from victim user's email inbox to bypass MFA.
Usage
$ python3 devicePhish.py
[INFO] Usage: python3 devicePhish.py
[INFO] Example: python3 devicePhish.py fake-2ce0-4958-a61a-a5055ef62bf8
Example
- Generating
user_codeanddevice_codefrom an Azure App:
- Upon successfull phishing attack, obtaining
access_token&refresh_tokenfor a victim user:
- After an Email OTP is triggered, reading the OTP code from the victim's email inbox:
- After reading the Email OTP code, it deletes the OTP email:
![Trewis [work] Scotch](https://avatars.githubusercontent.com/u/92666826?v=4&s=60)
3 Dec 30, 2021
108 Jan 07, 2023
21 Dec 27, 2022
79 Dec 27, 2022
17 Nov 11, 2022
9 Feb 15, 2022
5 Oct 08, 2022
534 Dec 14, 2022
462 Jan 02, 2023
1 Jan 11, 2022
298 Dec 14, 2022
82 Dec 28, 2022
6.7k Jan 05, 2023
8 Feb 27, 2022
3.5k Jan 09, 2023
84 Sep 09, 2022
6 Sep 22, 2022
253 Jan 05, 2023
224 Aug 05, 2022
39 Dec 10, 2022