In the ever-evolving landscape of cybersecurity, the Australian Signals Directorate (ASD) has recently sounded the alarm on a cunning and increasingly prevalent threat: device code phishing. This sophisticated technique, which has been in the wild since at least 2020, is now being employed by both state-sponsored actors and criminal enterprises, leveraging the very tools designed to protect us. What makes this particularly fascinating is the way in which these attacks are being packaged and distributed, with a growing market of phishing-as-a-service (PhaaS) offerings making it easier for malicious actors to launch large-scale campaigns. From the perspective of a cybersecurity analyst, this raises a deeper question: how can we better prepare for and mitigate these evolving threats?
The Rise of Device Code Phishing
Device code phishing is a clever tactic that exploits Microsoft's device authorisation process. By tricking users into entering an attacker-provided code on Microsoft's legitimate login page, attackers can obtain authentication tokens and gain access to the victim's Microsoft 365 account. What makes this technique particularly insidious is its ability to bypass traditional security measures, such as URL verification, as users are directed to enter codes on a trusted portal.
In my opinion, the rise of device code phishing is a testament to the creativity and resourcefulness of modern cybercriminals. What many people don't realize is that these attacks are not just the work of lone hackers but are often part of larger, well-coordinated campaigns. The use of AI-generated code and prompts, for example, suggests a level of automation and sophistication that is both impressive and concerning.
The Role of PhaaS Offerings
The availability of PhaaS offerings has played a significant role in the proliferation of device code phishing. Services like EvilTokens and Tycoon provide malicious actors with the tools they need to launch sophisticated attacks, often with minimal technical expertise. What makes this particularly troubling is the ease with which these services can be monetized, with affiliates able to pay for tooling to manage multiple compromised accounts.
From my perspective, the rise of PhaaS offerings highlights a critical gap in our current cybersecurity infrastructure. While we have made significant progress in detecting and mitigating traditional phishing attacks, we have yet to fully address the challenges posed by these more sophisticated and automated threats. This raises a deeper question: how can we better regulate and monitor these services to prevent them from being exploited for malicious purposes?
The Human Factor
One thing that immediately stands out is the importance of human factors in these attacks. The use of blank email bodies paired with PDF attachments, for example, suggests a level of automation and poor operational discipline that can be exploited by defenders. Similarly, the pivoting of threat actors previously associated with AiTM phishing to device code phishing highlights the need for ongoing vigilance and adaptation in our cybersecurity strategies.
Personally, I think that user awareness training should be updated to address device code phishing. Traditional guidance focused on checking URLs may not help when users are directed to enter codes on a trusted Microsoft portal. Instead, we need to educate users about the signs of device code phishing, such as the use of QR codes and dynamic device codes, and provide them with the tools and resources they need to identify and report suspicious activity.
Mitigating the Threat
For defenders, mitigating the threat of device code phishing requires a multi-layered approach. Proofpoint recommends blocking device code flow where possible through Conditional Access policies, using allow lists by use case, and requiring sign-ins to originate from compliant or joined devices. Additionally, user awareness training should be updated to address device code phishing, and defenders should be prepared to adapt their strategies as new threats emerge.
In my opinion, the key to success in this area lies in collaboration and innovation. We need to work together to develop new tools and techniques for detecting and mitigating device code phishing, and we need to be prepared to adapt our strategies as the threat landscape continues to evolve. Only through a combination of technical expertise, human factors, and collaborative efforts can we hope to stay one step ahead of these cunning and insidious threats.
