How OAuth Device Code Phishing Targets Azure and Google: What CISOs Need to Know in 2024
Executive Summary
In 2024, new phishing campaigns emerged that weaponize the OAuth Device Code flow against major cloud platforms, notably Azure and Google. Attackers send users to authentic device code portals, tricking them into entering codes controlled by adversaries. Once codes are entered, threat actors receive valid OAuth tokens granting extensive access to cloud services, often bypassing multi-factor authentication. Researchers noted that Azure’s device flow presented a larger attack surface than Google’s, making it a high-value target for phishing and account compromise. The result is unauthorized access to sensitive email, data, and other cloud resources, with potential for lateral movement and persistent compromise.
This breach showcases a rapidly escalating attack vector exploiting weaknesses in cloud identity flows. The rise in device code phishing reflects a broader shift by threat actors toward abusing legitimate authentication processes, especially as organizations depend more heavily on cloud services and OAuth-based SSO.
Why This Matters Now
The surge in OAuth device code phishing attacks exposes critical weaknesses in popular cloud identity platforms, putting business-critical assets at risk even for organizations with strong MFA. As cloud reliance grows, defending against these advanced identity phishing techniques has become an urgent, board-level concern.
Attack Path Analysis
The attack began with the adversary delivering OAuth device code phishing to gain initial access, impersonating legitimate device login requests. Once the attacker harvested OAuth tokens, they escalated privileges by abusing token scopes and possible consent grants. Leveraging compromised cloud identities, the attacker traversed to additional services or apps via lateral movement. Command and control was established using cloud APIs and potentially covert channels for issuing further commands. The attacker then exfiltrated data from targeted SaaS or cloud resources using entrusted access. Finally, the adversary achieved impact by manipulating or persisting in victim environments, potentially enabling further access or business disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker used OAuth device code phishing to trick users into authorizing access, capturing device verification codes to obtain valid cloud tokens.
Related CVEs
CVE-2023-2585
CVSS 7.5Keycloak's device authorization grant does not correctly validate the device code and client ID, allowing attackers to spoof client consent requests and potentially gain unauthorized access.
Affected Products:
Red Hat OpenShift Container Platform – 4.11, 4.12
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Multi-Factor Authentication Interception
Steal Web Session Cookie
Steal Application Access Token
Valid Accounts
Modify Authentication Process: Web Portal
Account Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Non-Console Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9.2
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Authorization
Control ID: Identity Pillar – Authentication and Access
NIS2 Directive – Access Control Policies
Control ID: Article 21.2(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
OAuth device code phishing directly targets software authentication systems, exploiting Azure/Google integrations critical to development workflows and cloud-native security fabric implementations.
Financial Services
Credential theft via OAuth attacks threatens zero trust segmentation and compliance frameworks, compromising encrypted traffic protection and east-west security controls for financial data.
Health Care / Life Sciences
HIPAA compliance requirements for encrypted traffic and threat detection are severely impacted by OAuth phishing targeting healthcare cloud authentication and patient data access.
Government Administration
OAuth credential theft attacks government cloud infrastructures, undermining zero trust policies, multicloud visibility controls, and critical threat detection capabilities for public sector security.
Sources
- OAuth Device Code Phishing: Azure vs. Google Comparedhttps://www.bleepingcomputer.com/news/security/oauth-device-code-phishing-azure-vs-google-compared/Verified
- How Device Code Phishing Abuses OAuth Flows on Google and Azurehttps://dailysecurityreview.com/cyber-security/identity-and-access-management/how-device-code-phishing-abuses-oauth-flows-on-google-and-azure/Verified
- OAuth’s Device Code Flow Abused in Phishing Attackshttps://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacksVerified
- Warning issued as surge in OAuth device code phishing leads to M365 account takeovershttps://www.itpro.com/security/phishing/warning-issued-as-surge-in-oauth-device-code-phishing-leads-to-m365-account-takeoversVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing CNSF controls such as Zero Trust Segmentation, threat detection, and egress policy enforcement would have limited the attacker’s ability to reuse phished OAuth tokens across cloud workloads, contained lateral movement, and signaled anomalous access. Network-based segmentation, cloud firewalling, and continuous threat/anomaly monitoring are all instrumental in reducing the blast radius of device code phishing attacks.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual device authorizations or atypical identity flows flagged for rapid response.
Control: Zero Trust Segmentation
Mitigation: Network and identity segmentation limit over-privileged access even with a compromised token.
Control: East-West Traffic Security
Mitigation: East-west policy enforcement prevents token reuse between isolated workloads.
Control: Cloud Firewall (ACF)
Mitigation: Perimeter and outbound access governed—C2 attempts can be detected or blocked by policy.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data movement is subject to strict filtering and monitoring.
Continuous cloud-wide visibility allows rapid containment of attackers before business impact.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Collaboration Platforms
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive emails, documents, and internal communications, leading to data breaches and compliance violations.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce network-level Zero Trust segmentation and granular identity-based policies to isolate access between cloud workloads.
- • Deploy anomaly-based threat detection for OAuth and SaaS login flows to spot suspicious device code authorizations.
- • Implement egress filtering and application-aware cloud firewalling to restrict unauthorized external communication and data exfiltration.
- • Maintain centralized, multicloud visibility to quickly detect and contain anomalous privilege use and lateral movement attempts.
- • Regularly audit policy enforcement and minimize privilege scope for all cloud tokens and APIs to reduce the blast radius of credential compromise.
