Photo credit: arstechnica.com
Recent findings by cybersecurity experts reveal a persistent phishing campaign orchestrated by Russian operatives targeting Microsoft 365 accounts. The researchers have highlighted a specific phishing method dubbed “device code phishing,” which exploits a systematic approach to authentication established by the OAuth standard.
Device code phishing leverages the “device code flow,” a protocol designed primarily for devices lacking traditional web browsing capabilities, such as smart TVs and printers. This method allows users to authenticate on these devices without needing to enter usernames or passwords directly, which are often impractical for such devices.
In this process, the device shows an alphanumeric code alongside a URL linked to the user’s account. The user must access the URL on a more capable device, enter the provided code, and subsequently receive an authentication token that logs them into their account seamlessly.
The authorization mechanism hinges on two distinct pathways: one from the device attempting to connect and the other from the user’s web browser, facilitating a secure login method.
A concerted effort
Security advisories from firms such as Volexity and Microsoft indicate that Russian state-sponsored groups have actively exploited this authentication flow since at least August of the previous year. These threat actors often impersonate high-ranking officials to engage targeted individuals in conversation via messaging platforms like Signal, WhatsApp, or Microsoft Teams.
Among the organizations and individuals misrepresented in these communications are various governmental and corporate entities, which raises significant concerns about the security posture across affected sectors.
Source
arstechnica.com