Vectra's Blog

Hack & Tell: MFA keeps you safe? Hold my beer...

Written by Shaun Burger | 2/07/25 1:50 AM

Imagine this: You fought hard internally for the budget and resources and now you've finally got everyone on MFA.

Your executive team is now sleeping soundly at night thinking phishing is yesterday’s news, finally we're safe! Well... sorry, but us nefarious evil wrong doer's aren’t even bothering with fake login pages anymore, we just don't need to.
We can just use Microsoft to help us, using their own device login process, tricking people into giving away access tokens on a silver platter—and yes, it works even if you’re the most “security-aware” in the room.

As multi-factor authentication (MFA) adoption has increased and legacy phishing techniques lose effectiveness, we attackers needed to evolve. Leading us to some more sophisticated abuse of OAuth2 “device code” flows to harvest access tokens and compromise cloud accounts. This method is particularly insidious because it leverages legitimate Microsoft authentication screens, often bypassing user suspicion and many technical controls.

1. Wait, What is Device Code Flow? (And Why Should I Care?)

Let’s break it down in some high-level terms: Ever connected a smart TV or printer that asks you to go to https://microsoft.com/devicelogin and enter a code? That’s the device code flow. It’s meant for gadgets too dumb for full logins. But... like any good work around, Mr Robot realised, “Hey, what if people are too trusting, too?”

How it’s supposed to work:

  • Device: “Go to this Microsoft site and enter this code.”
  • You: “Okay!” (Enters code, logs in, hits accept.)
  • Device: “Thanks, I’m now you. Let’s Netflix.”

How attackers use it:

  • Attacker: “Go to this Microsoft site and enter this code.”
  • You: “Okay!” (Still using the real Microsoft site.)
  • Attacker: “Thanks, I’m now you. Let’s steal your stuff.”

Why should you care? Because the whole thing happens on Microsoft’s real login screen, and MFA is just another checkmark on the way to being owned.

2. Attack Overview: The Modern “Phish and Chips” Recipe

Why we as red teamers love it (and why you should worry):

  • No fake login page: Users are trained to trust the process.
  • Works everywhere: Corporate, personal, Azure, M365, Intune—you name it.
  • Tokens that keep on ticking: Access/refresh tokens last ages.
  • Consent, but for evil: If you say yes, the attacker can do basically whatever they asked for.

Step-by-step in a bit more detail:

  1. Malicious App: Attacker registers a shady app in Azure, or fire up one of my favourite phishing tools - GraphSpy.
  2. The Lure: Sends you an email, Teams message, sms and any other comms channel you can think of “verify your device—go to Microsoft and enter this code.”
  3. You (trustingly) comply: You log in... no MFA required, consent screen? Sure, whatever, just let me get back to my emails.
  4. Attacker’s tool (GraphSpy, etc.) polling in the background: Waiting for you to finish.
  5. Tokens are delivered: Attacker can now act as you connecting via MS Graph —accessing mail, files, Intune devices, and more.
  6. Party time: Exfiltrate, persist, move laterally, I am now you...

 

3. Tool Time: GraphSpy & Dynamic Polling

Meet GraphSpy—this is just one of many open source projects out there but a particular favourite of mine.

What makes GraphSpy awesome (for us, terrifying for defenders):

  • Spins up device code flows with any client/app.
  • Shows you the code and link to send the victim.
  • Dynamically polls Microsoft for the green light.
  • Dumps the juicy tokens you need for MS Graph, Intune, M365, etc.
  • Lets you ask for whatever permissions you want (depending on what you think your target will approve).

A day in the life of a GraphSpy attack:

  1. Fire up GraphSpy and generate your code.
  2. DM/email/Teams the user with a story about “urgent verification” and paste the code + real Microsoft link.
  3. Wait for the “ding”—tokens are in.
  4. Go wild: enumerate devices, download mail, escalate, or nuke devices (if you’re evil).

Pro tip for defenders: If you see “GraphSpy” in the logs, you’ve already lost. Just kidding (sort of).

4. Why Attack Intune? Because Why Not

Intune is the cloud bouncer for most corporate devices. Get tokens for Intune, and you can:

  • List every device in the fleet
  • Remotely wipe/reset laptops
  • Use the Intune access as a launchpad for more attacks (thanks, Azure Graph!)

A typical lure:

“IT noticed unusual activity on your device. To keep access to corporate systems, please go to https://microsoft.com/devicelogin and enter code: AB12CD34. Approve any prompts for ‘Microsoft Intune Device Management.’ Thanks!”

Looks legit. Feels urgent. The real Microsoft site. If you’re busy or distracted, you’re in trouble.

5. How To Spot (and Block) This Attack

For everyone:

  • Don’t enter codes unless you started it. If IT needs something, call them.
  • Look at the app name: Does it say “Vectra Security” or “CoolApp42”? Run.
  • Be suspicious of urgency: “Act now or lose access!” is the oldest trick.

For the blue team and defenders:

  • Watch Azure sign-in logs for unusual device code logins - tune your SIEM!
  • Monitor OAuth consents, especially new/unfamiliar apps.
  • Set up conditional access and limit app registrations.
  • Train your users—again. (Sorry, not sorry.)

6. Its a new world out there...

Device code flow phishing is like a magic trick—everything looks legit, until you realise your wallet’s missing. Attackers don’t need to fake a thing; they just need you to trust the process. Tools like GraphSpy make it push-button simple for red teams and, unfortunately, real attackers.

The best defence: Relentless skepticism, good log monitoring, and a strong “never trust, always verify” culture. Because sometimes, even the “real” login is the riskiest click of all.

#HackAndTell #Phishing #HoldMyBeer #RedTeam #CloudSecurity #GraphSpy #Microsoft365
View full post