This project provides POC code to explore [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749)
authorization flows and how they can be abused in phishing attacks.
Specifically, we demonstrate a phishing attack using the device authorization grant
on Microsoft and intend to add additional flows as we go. An implementation of this
is written in generic Powershell and can be run on any supported platform. Most cmdlet
calls are simple REST API calls and should be translateable to any language.
- Install Powershell 7.x
- Setup Microsoft Environments (for the victim only)
- NOTES:
- Victim environment setup: The attacker does not need a Microsoft account or environment, only the victim
- DO NOT run this in a production environment.
- Existing account: An existing Azure+Office365 account can be used, in which case just check that Azure+O365 access woorks for the existing accounts in steps 3 and 5.
- New account: These instructions are only needed if you want to create a new set of accounts to serve as the victim accounts.
- Admin privileges: You need administrator privileges to manage user accounts within Azure and Office 365.
- Trial accounts: this is the easiest way to create new accounts to test this POC (creating an O365 account should create the Azure account)
- https://www.microsoft.com/en-us/microsoft-365/try
- https://azure.microsoft.com/en-us/free/
- Then the inital administrator account can be the example victim account. Otherwise, follow steps below to create a separate victim account in an existing Azure AD and Office 365 environment
- AD Setup: Within Azure AD, login as an AD administrator and create victim account
- portal.azure.com > Azure Active Directory > Users
- ensure a subscription exists and some example resources exist that the user can access
- Check AD: Ensure the victim has read access to an Azure subscription and resources
- log into portal.azure.com as the victim, Search on subscriptions, should see at least 1
- search on All Resources, make sure at least one resource exists
- create some additional resources if you wish
- Office 365 Setup: Within the Office 365, login as the administrator and check that a license of Office 365 is associated with the victim
- login.onmicrosoft.com > Admin icon > Users > Active Users
- Check Office 365: Ensure the Office 365 Outlook email works for the victim
- login.onmicrosoft.com as the victim account > Outlook icon
- NOTES:
- Configure demo_cfg.json
- Set victim user email address in the "to" propery
- Set SMTP settings if you want to have the demo code send an email phish
- Keep other config settings as is (page=true, interactive=true, verbose=1, etc.)
- Run
- command-line:
Powershell.exe|pwsh demo_msft.ps1 -config demo_cfg.json
- Step #0: user and device codes generated
- Step #1: phish email sent (to user/victim set in demo_cfg.json)
- Step #2: will loop waiting for user/victim to authenticate/authorize
- In browser, <log in as user/victim to login.microsoft.com, check Outlook, follow phishing email link, authenticate)
- Step #3: retrieve user''s oauth access tokens
- Step #4: use access token to list users in Azure AD
- Step #5: retrieve user''s email
- Step #6: move laterally and use refresh token to get new access token for Azure
- Step #7: will list resources within Azure subscriptions that the user/victim has access to
- command-line:
device_code/pwsh/
demo_msft.ps1 - main Powershell file. Usage: powershell|pwsh -h
demo_cfg.json - required config file
demo_email.txt - email template if sending phish email
-
Evolving Phishing Attacks
- A Big Catch: Cloud Phishing from Google App Engine and Azure App Service
- Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks
- Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
- Office 365 Phishing Attack Leverages Real-Time Active Directory Validation
- Demonstration - Illicit Consent Grant Attack in Azure AD https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/)
- Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD
- HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor
- Pawn Storm Abuses OAuth In Social Engineering Attack
-
OAuth Device Code Flow
-
Additional OAuth Research Areas