You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Readme.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,18 @@
1
1
# DeviceCodePhishing
2
2
3
3
## TL;DR;
4
+
EDIT 19.09.2025: Microsoft fixed it for normal Entra tenants, but still possible for federated Entra tenants.
5
+
4
6
This is a novel technique that leverages the well-known Device Code phishing approach.
5
7
It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page.
6
8
A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes.
7
9
This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level.
8
10
What makes Device Code phishing especially dangerous is that no authentication method, not even FIDO, is able to protect against this type of attack.
9
11
Additionally, the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL.
10
12
13
+
## Edit: Does not work on normal Entra tenants anymore, but ...
14
+
Federated Entra tenats are still affected by that technique. The application now executes a preflight check if the specified domain belongs to a tenant, that is federated. If yes execution continues and the user is redirected immediatly to the federated sign-in page.
@@ -34,7 +39,7 @@ For more details, check out the blog post: [Phishing despite FIDO, leveraging a
34
39
1. The attacker sends a URL to the victim
35
40
2. The victim opens that URL
36
41
3. When the URL is opened, a headless browser is started, performing the following automated steps:
37
-
- Starts the Device Code Flow with `<tenant>` and `<clientId>`
42
+
- Starts the Device Code Flow with `<tenantDomain>` and `<clientId>`
38
43
- Opens the device-code webpage and enters the corresponding user-code
39
44
- The device-code webpage forwards to the URL for interactive authentication (By clicking on "Can't access your account" and immediately navigating back by clicking the cancel button, see [here](https://github.com/denniskniep/DeviceCodePhishing/blob/main/pkg/entra/devicecode.go#L101))
40
45
- Returns the URL for interactive authentication as a redirect to the victim
@@ -52,14 +57,9 @@ go install github.com/denniskniep/DeviceCodePhishing@v1.1.0
52
57
```
53
58
54
59
## Start the phishing server
55
-
56
-
By default, it runs with tenant set to `common` and with the AuthenticationBroker ClientId `29d9ed98-a469-4536-ade2-f981bc1d605e`
57
-
```shell
58
-
DeviceCodePhishing server
59
-
```
60
-
Use the args if one want to define a specific tenant, a different clientId or a custom userAgent
60
+
Specify the TenantDomain with `--domain`. By default, it runs with the AuthenticationBroker ClientId `29d9ed98-a469-4536-ade2-f981bc1d605e`. Use the args if one want to define a different clientId or a custom userAgent
61
61
```shell
62
-
DeviceCodePhishing server --tenant <tenantId> --client-id <clientId> --user-agent <userAgent>
62
+
DeviceCodePhishing server --domain <tenantDomain> --client-id <clientId> --user-agent <userAgent>
63
63
```
64
64
For further help on syntax or how to use arguments execute:
0 commit comments