{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] Abusing OAuth Device Code Flow", "protected": false, "publish_timestamp": "1776783238", "published": true, "threat_level_id": "3", "timestamp": "1776783238", "uuid": "79d13d1c-bdc2-4799-9ea3-fc929b4bdee5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f146c3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Sharepoint - T1213.002\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#aff0ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#f6f176", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Account - T1087.003\"", "relationship_type": "" }, { "colour": "#b25e1b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Use Alternate Authentication Material - T1550\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#3d1dab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Spearphishing - T1534\"", "relationship_type": "" }, { "colour": "#83203e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1136.003\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#23cf0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Email Collection - T1114.002\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#f055aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"", "relationship_type": "" }, { "colour": "#5300bd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Access Token - T1550.001\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776769215", "to_ids": false, "type": "link", "uuid": "fbd1f5f7-1efe-47fa-a6bc-228d078bd9bd", "value": "https://www.levelblue.com/blogs/spiderlabs-blog/go-with-the-flow-abusing-oauth-device-code-flow", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776769215", "to_ids": false, "type": "text", "uuid": "1346985a-42bd-47ef-84e4-01a746710df3", "value": "In early 2026, phishing attacks remain a top threat vector in security operations. This analysis covers a novel attack method exploiting Microsoft's OAuth 2.0 Device Authorization Grant (Device Code Flow) to compromise user accounts. Attackers use phishing emails containing Mailchimp's Mandrill service links to bypass security controls, leading victims to fake Adobe-themed websites. The sites abuse legitimate Microsoft authentication mechanisms to obtain access and refresh tokens, granting persistent delegated access to critical resources like Graph API, Teams, Outlook, and SharePoint. The technique leverages shared client IDs across tenants and family of client IDs (FOCI) for lateral movement. Two variants exist: one using external phishing infrastructure with dynamic code generation, and another relying solely on fake meeting invitations containing pre-generated device codes. The attack is particularly effective as it uses legitimate Microsoft services, making detection challenging." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776769215", "to_ids": false, "type": "text", "uuid": "1b522a6f-0e6e-4630-965e-347e826bd183", "value": "Name: Abusing OAuth Device Code Flow\nAuthor: AlienVault\nAdversary: \nTags: [\"persistent access\", \"microsoft entra id\", \"device code flow\", \"graph api\", \"oauth\", \"phishing\", \"credential theft\", \"token hijacking\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1213.002\", \"T1539\", \"T1069\", \"T1114\", \"T1566.002\", \"T1087.003\", \"T1550\", \"T1087\", \"T1528\", \"T1534\", \"T1136.003\", \"T1098\", \"T1566\", \"T1078\", \"T1114.002\", \"T1213\", \"T1136\", \"T1550.001\", \"T1078.004\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776516", "to_ids": true, "type": "url", "uuid": "a7c3e7e0-2b9a-43e8-a715-cf7f35151b6e", "value": "http://adobe.safest.org/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776537", "to_ids": true, "type": "url", "uuid": "2501406a-6d9e-4428-8a95-eb025d1c5f26", "value": "http://ppsrq.org/so/3dPniokM8/c", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776558", "to_ids": true, "type": "hostname", "uuid": "102a2ee4-ed62-4e9f-a624-7080185a5d1e", "value": "adobe.safest.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }