🚨 Beyond Credential Theft: The New Phishing Technique That Exploits OAuth Device Authorization
KnowBe4 ThreatLabs has identified a sophisticated phishing campaign exploiting Microsoft's OAuth device code authentication. Attackers use Google Cloud Storage to host HTML redirectors that trick victims into entering attacker-controlled device codes on legitimate Microsoft portals, bypassing traditional phishing defenses.
Attack flow:
Attacker initiates the OAuth flow once victim’s email is entered
The victim is redirected to a second domain containing a real Microsoft device login link (microsoft[.]com/devicelogin) and the attacker's shared device code.
Victim enters the code on the legitimate Microsoft site
Victim authenticates with real credentials
Attacker's application gets the OAuth token in real-time
Attacker now has access to the victim's Microsoft account
🔍 KEY OBSERVATIONS
• Displays content in victim's regional language • OAuth Hijack • Uses real Microsoft endpoints for device code requests.
🛡️ IOCs to monitor and block:
Sender:
noreply-application-integration@google[.]com
Subject Patterns:
• Voice Mail (### seconds).
• ###### Confirmation: Distribution Notice Payment Processed
• #### Shared document: "Q4 Profit related Salary Bonus Distributions Form — Year 25"
Domains:
• logon[.]sharefileselfservices[.]cloud
• sso-services[.]com
• newcrowdcapital[.]com
URLs:
storage[.]cloud[.]google[.]com/httqwebserverq145i4x6bbx17cpb2rnw/check[.]html
h_ps://storage[.]cloud[.]google[.]com/httqaccesspoliciesservicesg9u7s54p56x7vubee5dd/check[.]html
h_ps://storage[.]cloud[.]google[.]com/httqwebservices673ghe67ghe67bh56wfdtr254trfeyu7834yu67673gh563/captcha[.]html
h_ps://storage[.]cloud[.]google[.]com/httqwebserver764gs53f543fe8u87egh653gfe56g4784/captcha[.]html
#Phishing #OAuth #ThreatIntel #M365 #CyberSecurity
Since October, we've not only seen an uptick in Akira #ransomware attacks, but also a new trend of Akira actors stealing data without deploying ransomware for extortion.
Check out my latest article for more info on Akira's latest tactics ⤵️
https://t.co/P1whty1LBY
📰New blog is out discussing new Adload C2, the resurfacing of UpdateAgent, and more MacOS #Malware discovered by our threat hunters @BlakeCahen and @iAmTippett in the 🍏Education Sector of IronDome
Check it out ⤵️
https://t.co/DYhqDvpt6m
#CollectiveDefense
Excited to present my first article with @SophosXOps!
In this blog, we introduce a new initial access #malware campaign called Nitrogen that uses malvertising & impersonates popular software to compromise enterprise networks & drop #CobaltStrike
https://t.co/t9xOjh5yEo
Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?
I walk through a few of the dangers of Google's new .zip TLD in my blog post here:
https://t.co/wciJ6ixhYS
Appreciate all the likes/retweets I've seen already!
From our #IronRadar collections, let’s take a look at some of the domains recently mentioned by @Unit42 in their #RoyalRansomware post https://t.co/p02cdJYoiF such as kasperslkyupdate[.]com and kasperskyupdates[.]com
This is stolen from the vx-underground GitHub malware collection. They moved some categories around - but this is it verbatim.
You're welcome for the malware source code, nerds. That is years of hard work on our end collecting them and curating them.
Pivoting off of one of the IPs in the TAG report, #IronNetTR found 6 other suspected HYPERSCRAPE servers associated with Iranian #APT35:
136.243.108[.]9
136.243.108[.]10
136.243.108[.]11
136.243.108[.]12
136.243.108[.]13
195.201.46[.]42
Super excited to share our findings from the #BlackHat NOC! Everything from the standard crapware we always expect but also Kimsuky malware domains 😱
You can find our report here: https://t.co/LQVKdSoEwm