Originally reported by BleepingComputer
TL;DR
Threat actors are increasingly leveraging OAuth 2.0 Device Authorization Grant flows for phishing attacks, with incidents surging 37 times higher than previous years. The proliferation of automated attack kits is making these sophisticated authentication bypasses accessible to lower-skilled attackers.
While the 37x increase indicates a significant trend in attack methodology, device code phishing requires social engineering and user interaction, limiting immediate mass impact compared to automated exploitation.
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant flow have experienced a dramatic surge, increasing more than 37-fold compared to previous reporting periods, according to BleepingComputer's analysis of current threat intelligence.
These attacks abuse a legitimate authentication mechanism designed for devices with limited input capabilities, such as smart TVs or IoT devices. The OAuth 2.0 Device Authorization Grant allows users to authenticate on a secondary device by entering a code displayed on the primary device.
Threat actors have weaponized this flow by:
The surge correlates with the proliferation of automated attack kits that lower the technical barrier for conducting these campaigns. Security researchers have identified multiple toolkit variants circulating in underground forums, complete with:
Organizations should implement several countermeasures:
The accessibility of attack toolkits suggests this trend will continue escalating as more threat actors adopt these techniques against cloud-integrated environments.
Originally reported by BleepingComputer
