Security Alert: Device Code Authentication Phishing Attack

Check Point researchers have discovered an extremely sophisticated attack, perpetrated by nation state threat actors, that targeted the CEO and a high-ranking employee of a well-known organization.  
 
Within the attack, cyber criminals used the device code authentication process to retrieve access tokens to Microsoft accounts.  
 
How it Works: 
 
Attackers create a legitimate device code request, which is a standard part of the Microsoft login process. Then, they send a phishing message to the target, which includes a link to a Microsoft-owned login page. (Microsoft.com/devicelogin). 

 
 
                                                                               [example above] 

The message is designed to dupe the target into entering the device code on a legitimate Microsoft login page. Upon entering the code, the attackers receive access and refresh tokens, which are available for only a short duration of time.  
 
The tokens enable the threat actors to access the target’s Microsoft accounts and data.  
 
Impact: 

• Threat actors gain access to a target’s Microsoft accounts and data, including emails, documents and other sensitive information. 
  

• Using access tokens, cyber attackers can potentially move laterally within a network, accessing other accounts and services used by a given target.
  

• Cyber criminals may be able to exfiltrate sensitive data from cloud and email-based storage locations. 
  

• The threat actors can maintain access to the compromised accounts and services as long as the tokens remain valid.
  

• The attack bypasses multi-factor authentication, rendering it challenging to prevent and detect. 
  

More Information: 
 
Check Point has deployed protective mechanisms that block content from these threat actors, ensuring that organizations can maintain robust defenses against evolving phishing tactics and that they can minimize the risk of data breaches.