Daily Cybersecurity Briefing | 2024

THREAT ACTIVITY

Microsoft Entra Account Compromise via Device Code Vishing

MITRE ATT&CK: T1566 (Phishing), T1528 (Steal Application Access Token)

Threat actors are actively exploiting OAuth 2.0 device authorization flows to compromise Microsoft Entra ID (formerly Azure AD) accounts through voice phishing campaigns. This technique bypasses traditional phishing infrastructure by leveraging legitimate Microsoft authentication mechanisms.

Attack Chain: - Attackers initiate vishing calls impersonating IT support or security teams - Victims are socially engineered to visit legitimate Microsoft device login portal (microsoft.com/devicelogin) - Attackers provide device codes obtained from OAuth 2.0 device authorization grants - Once victims enter the code and authenticate, attackers gain persistent access tokens - No malicious domains or phishing sites required—all authentication occurs through Microsoft's legitimate infrastructure

Impact: This technique is particularly dangerous as it: - Evades email-based phishing detection - Uses legitimate Microsoft domains (passes URL reputation checks) - Generates valid OAuth tokens with persistent access - Difficult to distinguish from legitimate device authorization workflows

Microsoft 365 Copilot DLP Bypass

MITRE ATT&CK: T1114 (Email Collection), T1530 (Data from Cloud Storage)

A vulnerability in Microsoft 365 Copilot allows bypassing Data Loss Prevention (DLP) policies through AI-generated email summaries. Copilot processes and summarizes confidential emails in Sent Items and Drafts folders, making sensitive information accessible even when DLP policies should block access.

Risk: Organizations relying on DLP policies to protect sensitive data may have confidential information exposed through Copilot summaries, effectively creating a data exfiltration vector through AI summarization features.

TODAY'S ACTIONS

• [ ] 🔴 Audit device code authentication flows in Entra ID sign-in logs—filter for OAuth 2.0 device code flow and investigate anomalous patterns
• [ ] 🔴 Implement conditional access policies requiring MFA for device code flows or disable device code authentication if not required
• [ ] 🟠 Review Microsoft 365 Copilot permissions and assess DLP policy coverage for AI-accessible content
• [ ] 🟠 Alert helpdesk staff about device code vishing campaigns—establish verification procedures before assisting with device authentication
• [ ] 🟡 Hunt for suspicious device code grants in last 30 days—correlate with call logs if available

DETECTION NOTE

Monitor Entra ID sign-in logs for: - authenticationProtocol: deviceCode - Multiple failed device code attempts followed by success - Device code authentications from unexpected geolocations or impossible travel scenarios