New Phishing Techniques Targeting Microsoft Entra ID: A Deep Dive into the OAuth 20 Exploit

2025-01-29

In the ever-evolving landscape of cybersecurity, phishing techniques continue to get more sophisticated, making it crucial for organizations to stay ahead. A recent blog post by security researcher Rik van Duijn explored a new method of phishing that targets Microsoft Entra ID, formerly known as Azure Active Directory. Drawing inspiration from a demonstration in the “Offensive Entra ID (Azure AD) and Hybrid AD Security” training by Dirk-jan, Duijn uncovered a new way for attackers to harvest access and refresh tokens during the OAuth 2.0 authorization flow.

This technique bypasses the need for traditional cookie theft and swapping, offering a more direct and efficient approach for cybercriminals. By modifying the EvilGinx phishing tool, attackers can intercept tokens, enabling them to breach Microsoft services such as Microsoft 365, OneDrive, and Teams. In this article, we’ll dive deeper into the method, how it works, and what organizations can do to protect themselves.

Overview of the Phishing Technique

The newly discovered phishing method focuses on targeting the OAuth 2.0 authorization code flow, a widely used protocol by applications that require backend access to Microsoft resources. This authorization flow ensures that backend communications remain secure without exposing user credentials.

In this attack, attackers leverage an AiTM (Adversary-in-the-Middle) phishing technique to intercept the communication between the victim, the client application, and Microsoft’s authentication backend. The attacker then steals the authorization code as it’s returned in the response header, which contains the parameter “nativeclient?code=”.

Once the attacker intercepts the code, they can use it to request access and refresh tokens via the /oauth2/token endpoint. The victim is then redirected to a legitimate Microsoft portal, unaware of the breach.

Expanding the Attack with Stolen Tokens

What makes this technique even more concerning is the potential for further exploitation once the attacker has the stolen tokens. By targeting legitimate client IDs such as Microsoft Teams (which provides permissions to Microsoft Graph, Exchange, OneDrive, and Teams itself), attackers gain access to a vast range of resources. Tools like “roadtx” allow attackers to further pivot their access, infiltrating sensitive areas like DevOps repositories and hijacking Azure PowerShell resources.

While Duijn’s proof-of-concept (PoC) demonstrates how feasible this attack is, the implementation remains a proof of concept and not yet ready for large-scale deployment. Nevertheless, it underscores the need for heightened vigilance in securing OAuth 2.0 flows.

Mitigation Strategies

Organizations can reduce the risk of falling victim to these attacks by implementing robust detection systems. Anomalies in login attempts, such as suspicious IP addresses originating from Cloudflare IP ranges or unusual user-agent strings (for example, a mobile login using a browser-like user agent), can indicate an ongoing attack.

Security teams should prioritize reviewing logs from services such as SigninLogs and AADNonInteractiveUserSignInLogs to identify these potential threats. As phishing tactics targeting OAuth 2.0 flows become more advanced, it is essential for security professionals to bolster authentication methods and keep a close eye on any unusual activity.

What Undercode Says:

The discovery of this new phishing method targeting Microsoft Entra ID raises several important points for organizations to consider in their cybersecurity strategies. While OAuth 2.0 is widely regarded as a secure protocol, this attack shows that even the most established authentication methods are not immune to exploitation.

One of the key takeaways from this new phishing technique is its ability to bypass traditional cookie theft methods, which were once the primary focus of many phishing attacks. By targeting the OAuth 2.0 authorization code flow directly, attackers can streamline the process of acquiring access and refresh tokens. This makes the attack more efficient, which increases the risk of widespread exploitation if left unaddressed.

The fact that attackers can pivot from one stolen token to multiple resources—such as Teams, Microsoft Graph, and Azure PowerShell—shows the far-reaching impact of this exploit. It highlights how an attacker with a single token could potentially infiltrate multiple areas of an organization’s infrastructure, increasing the scope of the damage.

Organizations must now reevaluate their security strategies, focusing not only on protecting against traditional phishing but also enhancing their defenses around OAuth 2.0 flows. This could involve implementing stricter controls around token exchange, monitoring OAuth interactions more closely, and improving anomaly detection capabilities. It is also vital to educate employees about the risks of phishing and the importance of verifying suspicious login attempts, especially in an environment where hybrid cloud infrastructures are increasingly common.

Another point of concern is the use of modified phishing tools, like EvilGinx, which shows how easily common tools can be adapted for new types of attacks. This presents a challenge for defenders who must stay one step ahead of evolving tactics and continuously update their security systems. While current defenses may catch some forms of phishing, the sophistication of these evolving techniques calls for more advanced, proactive security measures.

The role of detection tools in identifying this type of attack cannot be overstated. Monitoring unusual behaviors, such as unexpected logins from Cloudflare IP addresses or unfamiliar user-agent strings, will be critical in identifying phishing campaigns early. As the sophistication of these attacks grows, the need for automated tools that can identify and flag potential threats in real time will become increasingly important.

Ultimately, the rise of OAuth-targeted phishing serves as a reminder that securing authentication mechanisms is more complex than ever. It is no longer enough to rely on simple measures; organizations must embrace a layered approach to security that involves both technical defenses and proactive monitoring. In a world where attackers are constantly adapting, only organizations that stay vigilant and evolve their security posture will be able to defend against these emerging threats.