New Phishing Attacks Exploiting OAuth

Authorization Flows

August 7, 2021

Jenko Hwong
[email protected]
@jenkohwong
$ az ad signed-in-user show

[
{
"jobTitle": "Researcher",
"department": "Threat Research Labs",
"company": "Netskope, Inc.",
"email": "[email protected]"
"twitter": "@jenkohwong",

"background": "vulnerability scanning, AV/AS, pen-testing/exploits,

L3/4 appliances, threat intel, windows security",
}
]
Phishing Evolution: smtp, fake domain, ssl cert, user/pwd
in the beginning...
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+mobile

1 phish

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud

1 phish

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
hosted in
cloud
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud

1 phish

smtp

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
hosted in
cloud
Phishing Evolution: fake domain, apps, ssl cert, user/pwd
controls
link analysis (domain/URLs/certs)
1 phish sender reputation

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth
MFA
IP allow policies link analysis (domain/URLs/certs)
http(s) content inspection (creds)

fake website
Phishing Evolution: OAuth 2.0 auth code grant[1]
+cloud app authorization

Azure AD Google Identity

OAuth Tokens
3 access token
Authenticate and Authorize
refresh token Identity Platform 2 Authenticate (MFA)
Authorize permissions (scopes)

Request Authorization
1 Request permissions (scopes)
Redirect user to Identity Platform
Application (authorization service) User
(client, device)
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-24
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI

$ gcloud auth login [email protected] --launch-browser --force

Your browser has been opened to visit:

https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fuserinfo.email+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F
%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fcompute+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=
gU8ezZryqHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI

$ gcloud auth login [email protected] --launch-browser --force

Your browser has been opened to visit:

https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https
%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F
%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=gU8ezZry
qHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256

You are now logged in as [[email protected]].

$
Phishing Evolution: fake OAuth login
+cloud app authorization
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization

● Real-time creds validation (APIs)[1]

Azure AD Google Identity

● Based on pass/fail, redirect user to

valid domains (stealth, creds
validation upfront)

[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization

● Real-time creds validation (APIs)[1]

Azure AD Google Identity

● Controls
○ MFA, IP allow policies
○ link analysis (domain/URLs/certs)
○ content inspection (creds)
○ sender reputation

[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
 Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization protocol -- why do we care ?
1. Hijack session tokens, not creds
Oauth tokens 2. REST APIs <=> remote exploit
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", vs endpoint
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000

2 Redirect to Identity Platform

1 Login / Checkout / Install App

Application User
(client, device)
 Phishing Evolution: OAuth 2.0 illicit consent grants
+cloud app authorization protocol
1. Malicious registered application
Oauth tokens 2. Get user consent for wide
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", scopes / permissions
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000

2 Redirect to Identity Platform

1 Login / Checkout / Install App

Application User
(client, device)
Phishing Evolution: OAuth 2.0 illicit consent grants[1]
+cloud app authorization protocol
[2] 1. Malicious registered application
2. Get user consent for wide
scopes / permissions

Controls
1. Prevent users from
registering apps in AD
2. Prevent users from
consenting

[1] https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience
Phishing Evolution: OAuth 2.0 device code authorization[1]
what's the purpose? to provide easier authentication/authorization on limited input devices e.g. smart
TVs

[1] https://datatracker.ietf.org/doc/html/rfc8628
“I think there's an RFC for that.”
which, when implemented, looks something like this on your TV
with the real sign-in on a computer or mobile phone
Unusability is the father of insecurity
 Phishing Evolution: OAuth 2.0 device code authorization[1]
+cloud app authorization protocol

2 Azure AD Google Identity

Get user/device codes
Identity Platform

Retrieve 5 4 Authenticate and Authorize

oauth tokens 1. Goes to www.google.com/device
client_id 2. Enters: ZLGG-LOSP
device_code 3. Authenticates, including MFA

3 Instruct user to login

on computer/smartphone
"1. Go to www.google.com/device
2. Enter user code: ZLGG-LOSP"

1 Login

Device User
(client, app) [1] https://datatracker.ietf.org/doc/html/rfc8628
Demo: OAuth 2.0 device code authorization

● Dr. Nestori Syynimaa: https://o365blog.com/post/phishing/

● Usability => insecurity

● A different auth flow => opportunity
● Implementation quirks
 Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol
Get user/device codes
POST
https://login.microsoftonline.com/comm
2
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
aad2292ab01c&
resource=https://outlook.office365.com
Azure AD Google Identity
Poll for
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 User code, verification URL
} manual instructions:
"1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

1 Login

Device User
(client, app)
 Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
aad2292ab01c&
resource=https://outlook.office365.com
Azure AD Google Identity
Poll for
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish

Azure AD Google Identity

Access Token
{ "scope": "user_impersonation",
"resource": "https://management.azure.com", 9 Identity Platform
"access_token": "eyJ0eXAiOiJKV1QiLCJhbG...",
"refresh_token": "0.AUYAAknJ93kbWUyXs2…",
8
} Use refresh token to get new access token
for Azure
{ "refresh_token": "1//06S3lSKyEHY…",
"scope": "openid",
"grant_type": "refresh_token"
"resource": "https://management.azure.com",
"client_id": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
}

Device
(client, app)
 Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
 Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform 4. Implicit, default scopes
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol
microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol
microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
3. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
2. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
practical considerations

Short expiration of user/device codes (15-30mins)

● phishing numbers game
● incorporate hosted website, generate codes dynamically
● use images for user code (no javascript allowed in email clients)
OAuth 2.0 device code authorization
Microsoft Google

Server infrastructure None required None required

Application None needed, can use large # of existing Some limited vendor apps e.g. Chrome
registration apps

Consent screens No Partial (limited vendor apps)

Scopes Implicit, default scopes, wide-range Very limited (user profile, drive access to
app files, youtube info)

Lateral movement Easy to switch among large number of No: strict limited scopes for device code flow
services

Logging Partial (initial token access) Partial

Prevention block URIs, cond access block URIs, VPC perimeters

Detection Difficult Difficult

Remediation API to revoke user tokens Delete/recreate user

 Ongoing Research Areas
● Other flows[1]
● Any usability "requirements"
● Bypass consent e.g. implicit grants
● Default scopes[2]
● Consent[3]
● Browser auto-login and scope
expansion e.g. Google uberauth
(2013)[4][5]

[1] https://datatracker.ietf.org/doc/html/rfc6749#page-23
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[3] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[4] https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538
[5] https://duo.com/blog/beyond-the-vulnerabilities-of-the-application-specific-password-exploiting-google-chrome-s-oauth2-tokens
Thank you

Questions

Open Source Tools

● Repo: https://github.com/netskopeoss/phish_oauth
● License: BSD-3-Clause

Contact
● [email protected]
● @jenkohwong
References
1.0 Evolving Phishing Attacks
1.1 A Big Catch: Cloud Phishing from Google App Engine and Azure App Service: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-
app-service
1.2 Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks: https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/
1.3 Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps: https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
1.4 Office 365 Phishing Attack Leverages Real-Time Active Directory Validation: https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/
159188/
1.5 Demonstration - Illicit Consent Grant Attack in Azure AD: https://www.nixu.com/blog/demonstration-illicit-consent-grant-attack-azure-ad-office-365
https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/
1.6 Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD: https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/
1.7 HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor: https://securecloud.blog/2019/12/17/helsec-azure-ad-write-up-phishing-on-steroids-with-azure-
ad-consent-extractor/
1.8 Pawn Storm Abuses OAuth In Social Engineering Attack: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-
engineering-attacks.html

2.0 OAuth Device Code Flow

2.1 OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6749
2.2 OAuth 2.0 Device Authorization Grant RFC: https://datatracker.ietf.org/doc/html/rfc8628
2.3 OAuth 2.0 for TV and Limited-Input Device Applications: https://developers.google.com/identity/protocols/oauth2/limited-input-device
2.4 OAuth 2.0 Scopes for Google APIs: https://developers.google.com/identity/protocols/oauth2/scopes
2.5 Introducing a new phishing technique for compromising Office 365 accounts: https://o365blog.com/post/phishing/#oauth-consent
2.6. Office Device Code Phishing: https://gist.github.com/Mr-Un1k0d3r/afef5a80cb72dfeaa78d14465fb0d333

3.0 Additional OAuth Research Areas

3.1 Poor OAuth implementation leaves millions at risk of stolen data: https://searchsecurity.techtarget.com/news/450402565/Poor-OAuth-implementation-leaves-millions-at-risk-of-
stolen-data
3.2 How did a full access OAuth token get issued to the Pokémon GO app?: https://searchsecurity.techtarget.com/answer/How-did-a-full-access-OAuth-token-get-issued-to-the-
Pokemon-GO-app