Device Code Login Phishing Presentation Attack, Detect, Mitigate

A couple weeks ago, I explored Device Code Phishing with a friend, and we decided to make a video about it. It's a new format of video and topic as I rarely cover the cloud, so we'd appreciate if you let us know what you think about it. Links: - https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/ - https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ - https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html - https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html - https://aadinternals.com/post/phishing/#new-phishing-technique-device-code-authentication - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758 00:00 - Showing the Storm-2372 Article 03:27 - Talking about phishing attacks starting out of band 04:40 - Bringing my friend on (oodie), slides talking about some good blog posts about this attack 06:40 - Talking about the history of the attack, when it began 07:23 - Some talk about the oauth device authorization grant 08:30 - Microsoft is on top of this 10:20 - Showing Azure CLI and AZ Powershell can perform device code logins, which aren't hacking tools 11:00 - Talking about how Device Code Logins work from a protocol level 12:50 - Performing the attack, using token tactics to start the device login process and create the phishing email 14:38 - Showing the attack from the victim perspective, so you can see how easy it is to fall for this phishing attack 15:55 - Back to the attacker, using the Token with AADInternals to get information about the organization like dumping users 17:45 - Converting the token to an Outlook one, then searching the mailbox from command line 19:20 - Converting the token to something we can use with the online portal, so we can use the web browser to interact with office 365 22:00 - Looking at the Sign-in logs and filtering by Device Code Authentications 24:10 - Showing Sentinel showing the CMSI (Check My Sign-In) which is another indicator 25:35 - Showing Sentinel querying emails, can see the metadata bout emails including all links within the email 26:55 - Creating a policy to block device code login