New Phishing Technique Steals Account Tokens Through Legitimate Microsoft Login Page
Attackers are exploiting a new phishing technique to get access to your account from a legitimate Microsoft login page, according to Kaspersky.
Historically, phishing worked by tricking people into visiting fake websites that resembled the real one and had a URL that was close enough that you might not spot it easily, like www.goog1e.com.
However, a new strategy is emerging to allow phishing via real login pages, specifically the Microsoft Identity Platform.
They exploit a protocol called Device Authorization Grant. You might have used it before without realizing; it's what allows you to log in to your accounts on smart TVs, IoT hardware, printers, and other devices that don't support a full keyboard to type your login credentials with.
The protocol works by generating a one-time code that you must type in on a separate device like a smartphone in order to grant access to your device.
The process starts by opening an app on your device, at which point it detects that no one is logged in and sends a POST request to Microsoft containing the unique identifier for the app and the requested permissions.
Microsoft responds with a secret code that is displayed to you and a link for you to visit on your phone or computer.
You can usually scan a QR code to visit the link or manually type it out, at which point you'll enter the code displayed on your TV for example.
The server then issues an access token to log you in, along with a refresh token to allow it to refresh its account access once the access token expires without any user interaction.
Unfortunately this refresh token allows attackers to maintain access to your account for extended periods of time.
The phishing campaign started with a malicious PDF sent via an email posing as a legal notice from a law firm. Opening the PDF would present you with several documents which would require you to click a link to open them.
The link takes you to a real Microsoft address, but the parameters redirect to a phishing resource. You get redirected from the Microsoft address to a fake law firm page, and then a final page where you're instructed to input a one-time code, which is copied to your clipboard automatically.
You're then redirected to Microsoft's actual authentication page where you're prompted to input the code, the same way you would for a smart TV.
As soon as the authentication is complete, the attackers are able to read and send emails from the victim's address, exfiltrate files from OneDrive, and access Teams conversations.
Phishing attacks like these set a scary precedent and make the advice to "always check the URL" obsolete. The best way to defend yourself is to never paste a code if you didn't initiate the process yourself, especially not a code from random emails.
Community Discussion