Hackers Exploit OAuth 2.0 Code Flow Using AiTM Attack on Microsoft Azure AD

Security enthusiasts and professionals are turning their focus towards a new angle on phishing attacks in the identity and access management space.

During the “Offensive Entra ID (Azure AD) and Hybrid AD Security” training, a clever demonstration showcased how a modified EvilGinx phishlet could enable adversary-in-the-middle (AiTM) phishing to directly extract access and refresh tokens.

This method eliminates the need for capturing ESTS cookies and swapping them later, providing a more efficient attack vector for malicious actors.

Leveraging OAuth 2.0 Authorization Code Flow

The OAuth 2.0 authorization code flow is widely used for accessing Microsoft resources such as MS Graph, OneDrive, and other M365 applications.

Typically, this flow involves a backend acquiring resource access through user consent.

While the redirect URIs are not under an attacker’s control, an AiTM attack effectively positions itself as a middleman, controlling communications between the victim and Microsoft’s backend.

The key for attackers lies in intercepting the authorization code returned during this process.

Once obtained, this code can be exchanged at the endpoint /oauth2/token to acquire both an access token and a refresh token.

The unsuspecting victim, meanwhile, is seamlessly redirected to legitimate Microsoft services, such as portal.office.com, remaining oblivious to the breach.

Exploiting the Microsoft Teams Client ID

In the demonstrated attack, the Teams client ID, 1fec8e78-bce4-4aaf-ab1b-5451cc387264, was used as part of the authorization request to MS Graph.

This client ID is particularly versatile, granting access to 64 different resources, including Teams, OneDrive, Exchange, and Azure DevOps.

The stolen refresh token can be further exploited to pivot to other clients and resources.

For instance, it is possible to use the “roadtx” tool to access DevOps repositories or Azure services using the victim’s authentication.

A proof-of-concept (PoC) tool to facilitate such attacks has been created, based on Wesley’s earlier publication, “Building an AiTM Attack Tool in Cloudflare Workers.”

This modified worker script intercepts the authorization flow, focusing less on cookies and more on capturing the authorization code directly.

Detecting this novel attack vector requires careful monitoring of anomalies.

One indicator is tracking logins originating from Cloudflare IP ranges, as AiTM tools often utilize Cloudflare Workers.

According to the Zolder report, organizations can analyze sign-in logs for activity associated with the autonomous system number (ASN) 13335. Another telltale sign is unusual user-agent strings.

For example, logins for mobile or desktop applications that oddly exhibit browser-like user agents (such as those containing “Mozilla/”) should raise red flags.

Though this method is still in the proof-of-concept stage and lacks production-level maturity, it underscores the evolving sophistication of AiTM phishing techniques.

Organizations must remain proactive in securing their environments against such emerging threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free