Thursday, February 20, 2025
HomeAzureHackers Exploit OAuth 2.0 Code Flow Using AiTM Attack on Microsoft Azure...

Hackers Exploit OAuth 2.0 Code Flow Using AiTM Attack on Microsoft Azure AD

Published on

SIEM as a Service

Follow Us on Google News

Security enthusiasts and professionals are turning their focus towards a new angle on phishing attacks in the identity and access management space.

During the “Offensive Entra ID (Azure AD) and Hybrid AD Security” training, a clever demonstration showcased how a modified EvilGinx phishlet could enable adversary-in-the-middle (AiTM) phishing to directly extract access and refresh tokens.

This method eliminates the need for capturing ESTS cookies and swapping them later, providing a more efficient attack vector for malicious actors.

Leveraging OAuth 2.0 Authorization Code Flow

The OAuth 2.0 authorization code flow is widely used for accessing Microsoft resources such as MS Graph, OneDrive, and other M365 applications.

Typically, this flow involves a backend acquiring resource access through user consent.

While the redirect URIs are not under an attacker’s control, an AiTM attack effectively positions itself as a middleman, controlling communications between the victim and Microsoft’s backend.

The key for attackers lies in intercepting the authorization code returned during this process.

Once obtained, this code can be exchanged at the endpoint /oauth2/token to acquire both an access token and a refresh token.

The unsuspecting victim, meanwhile, is seamlessly redirected to legitimate Microsoft services, such as portal.office.com, remaining oblivious to the breach.

Exploiting the Microsoft Teams Client ID

In the demonstrated attack, the Teams client ID, 1fec8e78-bce4-4aaf-ab1b-5451cc387264, was used as part of the authorization request to MS Graph.

This client ID is particularly versatile, granting access to 64 different resources, including Teams, OneDrive, Exchange, and Azure DevOps.

The stolen refresh token can be further exploited to pivot to other clients and resources.

For instance, it is possible to use the “roadtx” tool to access DevOps repositories or Azure services using the victim’s authentication.

OAuth 2.0
Using the stolen refreshtoken for teams to access the victims devops repositories.

A proof-of-concept (PoC) tool to facilitate such attacks has been created, based on Wesley’s earlier publication, “Building an AiTM Attack Tool in Cloudflare Workers.”

This modified worker script intercepts the authorization flow, focusing less on cookies and more on capturing the authorization code directly.

Detecting this novel attack vector requires careful monitoring of anomalies.

One indicator is tracking logins originating from Cloudflare IP ranges, as AiTM tools often utilize Cloudflare Workers.

According to the Zolder report, organizations can analyze sign-in logs for activity associated with the autonomous system number (ASN) 13335. Another telltale sign is unusual user-agent strings.

For example, logins for mobile or desktop applications that oddly exhibit browser-like user agents (such as those containing “Mozilla/”) should raise red flags.

Though this method is still in the proof-of-concept stage and lacks production-level maturity, it underscores the evolving sophistication of AiTM phishing techniques.

Organizations must remain proactive in securing their environments against such emerging threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Rhadamanthys Infostealer Uses Microsoft Management Console to Spread Malware

Cybersecurity experts have raised alarms about the Rhadamanthys Infostealer, a sophisticated malware now being...

ShadowPad Malware Upgraded to Deliver Ransomware in Targeted Attacks

Security researchers have uncovered a significant evolution in the ShadowPad malware family, which is...

Phishing Attack Exploit CEOs, CTOs, and Top Decision-Makers

A recent phishing campaign conducted by cybersecurity firm Hackmosphere has revealed alarming vulnerabilities among...

Hackers Drop NetSupport RAT & StealC Malware on Your Windows Via Fake Browser Updates

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the threat actor group...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Rhadamanthys Infostealer Uses Microsoft Management Console to Spread Malware

Cybersecurity experts have raised alarms about the Rhadamanthys Infostealer, a sophisticated malware now being...

ShadowPad Malware Upgraded to Deliver Ransomware in Targeted Attacks

Security researchers have uncovered a significant evolution in the ShadowPad malware family, which is...

Phishing Attack Exploit CEOs, CTOs, and Top Decision-Makers

A recent phishing campaign conducted by cybersecurity firm Hackmosphere has revealed alarming vulnerabilities among...