"Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code," Huntress explained. "The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.""

tech

"At a high level, the [attack](https://www.huntress.com/blog/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure) works as follows -

* Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API.
* The service responds with a device code.
* Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page ("microsoft[.]com/devicelogin") and enter the device code.
* After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access token and a refresh token for the user.

"Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code," Huntress explained. "The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.""