Device Code Phishing: How to protect yourself in less than 10 minutes!
Device Code phishing is rapidly becoming one of the most effective ways to bypass modern Conditional Access protections in Entra ID. In this article we will show you how to see if your organization is using this authentication flow, and how to block it with ease.
Sjefskonsulent
As organizations adopt phishing-resistant MFA and successfully shut down AiTM attacks, attackers are shifting to alternative authentication flows that achieve the same goal: gaining fully legitimate access tokens without stealing credentials.
Atea IRT have for years now advised our customers to block Device Code Flow in Entra as it is being used by malicious actors for phishing. Though, in the last months the abuse of this authentication flow has increased. We believe the reason for this is the implementation of phishing resistant MFA that blocks AiTM-phishing which has for the last 3-4 years been the most common way of doing identity-based attacks in Entra.
Luckily, blocking Device Code flow attacks is super easy and will probably not affect your users at all!
What is device code phishing
Device code phishing is a type of attack where an attacker tricks a victim into logging into their own account through a legitimate sign-in flow. The attacker sends the victim a link and a “device code” often pretending it’s part of a normal login or security process. When the victim enters the code on a trusted login page, they grant the attacker access to their account. Because this uses real authentication systems and often doesn’t require a password or trigger typical security alerts, it can bypass many traditional phishing defenses and will even work against accounts with phishing resistant multi-factor authentication enabled.
Example of Device Code phishing.
Most of us use this kind of flow when we sign in to streaming services on our TVs. Instead of using the remote control to type username and password, we are asked to go to an URL and do the login on our mobile devices. This is the same flow abused by the attackers. In an attack, the attacker’s device acts as the “TV”, and the victim unknowingly sign in into it. The result is that the attacker receives a valid session for the victim’s Entra-account and full access to Outlook, Teams, OneDrive, SharePoint and whichever other services that is connected to Entra.
Sign in to Netflix with Device Code Flow.
We will give you a brief explanation of how you make sure that you don’t need the flow in your organization and then how to block the flow for those who don’t need it.
Do you use Device Code Flow?
First, you need to check whether you use Device Code flow in your environment.
- Go to the Entra-portal https://entra.microsoft.com
- Go to Users, Sign-in logs.
- Click “Add Filters”, and Choose “Original Transfer Method”, and choose “Device Code Flow”.
- Increase the “Date” to “Last 1 month”.
Any entries that will show up are sign ins that have been done by your organization. Known applications that do this are some scripts, applications and some meeting rooms.
You will need to identify the services using this flow for legitimate causes and find a way to exclude those sign-is if they are needed. You can exclude IP addresses, applications or users.
Create a policy to block the flow.
- Go to https://entra.microsoft.com
- If you have legitimate uses for Device Code Flow, create the correct objects to exclude.
- If a set of users need this flow, create a group and add the correct users.
- Remember that these users will be vulnerable to Device Code Flow phishing!
- If you have need for Device Code Flow only from your office locations, create a named location-object with the IP-addresses.
- Once you have the excludes ready (if needed), create a new Conditional Access Policy.
- Users -> “All users”
- Exclude the group created (if using).
- Remember to exclude your break glass account!
- Target Resources -> All resources”.
- Network -> Any network or location
- Exclude the created locations (if using).
- Conditions -> “Authentication Flows” -> “Device Code Flow”.
- Grant -> “Block access”.
As with all block policies Microsoft are asking you to exclude the current user to avoid any tenant lock-out scenarios. As long as you have a break glass account setup (and tested!) that is excluded from the policy you’ve created, choose to not exclude the account. If you don’t have a break glass, you can be extra safe and exclude the current user (and then go setup a break glass account!)
Congratulations! You are now protected against Device Code-phishing!
