O365DevicePhish
Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack
This is a simple proof-of-concept script that allows an attacker to conduct a phishing attack against Microsoft 365 OAuth Authorization Flow. Using this, one can connect to Microsoft's OAuth API endpoints to create user_code and device_code and obtain victim user's access_token upon successfult phishing attack. Then, the token can be used to access various Office365 products via Microsoft Graph API on behalf of the victim user. In addition, this script was created to help a specific situation where a target organization was utilizaing an Email OTP (One-time Passcode) for their MFA option; thus, with a successful phishing attack, one could read a generated Email OTP code from victim user's email inbox to bypass MFA.
Usage
$ python3 devicePhish.py
[INFO] Usage: python3 devicePhish.py
[INFO] Example: python3 devicePhish.py fake-2ce0-4958-a61a-a5055ef62bf8
Example
- Generating
user_codeanddevice_codefrom an Azure App:
- Upon successfull phishing attack, obtaining
access_token&refresh_tokenfor a victim user:
- After an Email OTP is triggered, reading the OTP code from the victim's email inbox:
- After reading the Email OTP code, it deletes the OTP email:
![Trewis [work] Scotch](https://avatars.githubusercontent.com/u/92666826?v=4&s=60)
144 Nov 19, 2022
16 Dec 08, 2022
1 Nov 23, 2021
68 Jan 04, 2023
3 Sep 03, 2022
177 Dec 22, 2022
31 Dec 19, 2022
1 Nov 26, 2021
1 Jan 23, 2022
408 Jan 03, 2023
125 Dec 09, 2022
29 Jul 27, 2021
17 Aug 14, 2022
2 Jan 01, 2022
5 Mar 19, 2022
16 Dec 19, 2022
9 Sep 27, 2022
31 Oct 21, 2022
295 Jan 06, 2023
838 Dec 18, 2022