Device code phishing attacks, which abuse the OAuth 2.0 Device Authorization Grant flow, have increased more than 37-fold this year as multiple phishing kits make the technique accessible to low-skilled cybercriminals. In these attacks, threat actors obtain a device authorization code from a service provider and trick victims into entering it on legitimate login pages, granting attackers access through valid refresh and access tokens. The flow was originally designed for devices with limited input capabilities such as smart TVs and printers.
Push Security researchers documented a rise from 15 times to 37.5 times within weeks, identifying at least eleven distinct phishing kits facilitating this attack type. The most prominent kit, EvilTokens, has been described by Sekoia as democratizing device code phishing, though competitors include VENOM, SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE. These kits employ realistic SaaS-themed lures, anti-bot protections, and abuse cloud hosting platforms.
Attackers use branding from services like DocuSign, Adobe, and Microsoft Teams to deceive victims into completing device code flows. To defend against these attacks, organizations should disable the device authorization flow when unnecessary through conditional access policies. Security teams are also advised to monitor logs for unexpected device code authentication events, unusual IP addresses, and anomalous sessions. The technique, first documented in 2020, has now been widely adopted by both state-sponsored actors and financially motivated cybercriminals.
Read more...