In a recent blog post, security researcher Rik van Duijn shared an innovative take on phishing techniques targeting Microsoft Entra ID (formerly Azure Active Directory) environments.
Inspired by a demo from the “Offensive Entra ID (Azure AD) and Hybrid AD Security” training by Dirk-jan, Duijn described how a modified EvilGinx phishing tool enables attackers to directly procure access and refresh tokens during an OAuth 2.0 authorization code flow an approach that bypasses the need to steal and swap ESTS cookies.
This proof-of-concept (PoC) technique builds upon ideas presented in Wesley’s 2023 project, “Building an AITM attack tool in Cloudflare Workers,” adapting the architecture to intercept tokens during the authentication process.
Targeting OAuth 2.0 Authorization Code Flow
The OAuth 2.0 authorization code flow is widely used by applications requiring backend access to resources like Microsoft Graph, OneDrive, or Microsoft 365 services.
This flow ensures secure backend communication without directly exposing access credentials.
However, the AiTM (Adversary-in-the-Middle) phishing technique manipulates the flow by intercepting the conversation between the victim, the client application, and Microsoft’s authentication backend.
In this attack, users are guided through the standard authentication flow, and the stolen authorization code is intercepted when it is returned as a GET parameter in a response header containing the keyword nativeclient?code=.
Once obtained, the attacker exchanges the code for an access and refresh token using the /oauth2/token endpoint.
The victim is then redirected to a legitimate Microsoft portal, leaving them unaware of the breach.
Expanding Access Using Stolen Tokens
By targeting a legitimate client ID, such as the Teams client (1fec8e78-bce4-4aaf-ab1b-5451cc387264), attackers can gain access to a wide array of associated resources.
The Teams client ID provides permissions to 64 resource types, including Microsoft Graph, OneDrive, Exchange, and Teams itself.
Moreover, by leveraging tools like “roadtx,” attackers can further pivot access across different resources and clients.
For instance, a refresh token stolen from a Teams session may allow attackers to infiltrate DevOps repositories or hijack Azure PowerShell resources.
Duijn’s PoC demonstrates the feasibility of this attack using a modified version of the original AiTMWorker code.
The implementation, while functional, is not production-ready and primarily serves to showcase the technical possibility of such an exploit.
To mitigate this threat, organizations need robust detection systems.
Potential indicators of compromise include logins originating from Cloudflare IP ranges (Autonomous System Number 13335) and anomalous user-agent strings.
For instance, mobile or desktop client logins displaying browser-like user-agent strings, such as ones containing “Mozilla,” might indicate an attack in progress.
Security teams are encouraged to review logs from SigninLogs and AADNonInteractiveUserSignInLogs for these anomalies.
Zolder research underscores the evolving sophistication of phishing tactics targeting OAuth flows and the critical need for proactive defenses in cloud environments.
Security professionals must remain vigilant by hardening authentication measures and continuously monitoring for anomalous activity.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
