{"id":47498714,"url":"https://github.com/denniskniep/devicecodephishing","last_synced_at":"2026-04-01T23:02:02.098Z","repository":{"id":288594293,"uuid":"967698569","full_name":"denniskniep/DeviceCodePhishing","owner":"denniskniep","description":"This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow when the victim opens the phishing link and instantly redirects them to the authentication page. No authentication method, not even FIDO, is able to protect against this type of attack.","archived":false,"fork":false,"pushed_at":"2025-09-19T16:26:51.000Z","size":17,"stargazers_count":193,"open_issues_count":1,"forks_count":26,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-28T00:58:05.477Z","etag":null,"topics":["azure","device-code","entra","fido2","phishing","security"],"latest_commit_sha":null,"homepage":"https://denniskniep.github.io/posts/09-device-code-phishing/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/denniskniep.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-16T21:28:31.000Z","updated_at":"2026-03-24T20:35:27.000Z","dependencies_parsed_at":"2025-04-19T01:05:19.869Z","dependency_job_id":"edea7c2b-b37c-4bf1-874f-5729ebb26568","html_url":"https://github.com/denniskniep/DeviceCodePhishing","commit_stats":null,"previous_names":["denniskniep/devicecodephishing"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/denniskniep/DeviceCodePhishing","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denniskniep%2FDeviceCodePhishing","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denniskniep%2FDeviceCodePhishing/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denniskniep%2FDeviceCodePhishing/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denniskniep%2FDeviceCodePhishing/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/denniskniep","download_url":"https://codeload.github.com/denniskniep/DeviceCodePhishing/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denniskniep%2FDeviceCodePhishing/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","device-code","entra","fido2","phishing","security"],"created_at":"2026-03-27T04:40:07.328Z","updated_at":"2026-04-01T23:02:02.086Z","avatar_url":"https://github.com/denniskniep.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DeviceCodePhishing\n\n## TL;DR;\nEDIT 19.09.2025: Microsoft fixed it for normal Entra tenants, but still possible for federated Entra tenants. \n\nThis is a novel technique that leverages the well-known Device Code phishing approach. \nIt dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page.\nA headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. \nThis defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level.  \nWhat makes Device Code phishing especially dangerous is that no authentication method, not even FIDO, is able to protect against this type of attack. \nAdditionally, the victim interacts with the original website they expect, making it impossible to detect the attack based on a suspicious URL.\n\n## Edit: Does not work on normal Entra tenants anymore, but ...\nFederated Entra tenats are still affected by that technique. The application now executes a preflight check if the specified domain belongs to a tenant, that is federated. If yes execution continues and the user is redirected immediatly to the federated sign-in page. \n\n## Demo\nhttps://gist.github.com/user-attachments/assets/bf6d1c2d-7199-4394-824d-e6f57e8136a2\n\n## Description \nDeviceCodePhishing is an advanced phishing tool, which leverages the Device Code Flow.\nIt can be used for phishing access-tokens, which in turn allows to bypass two-factor authentication protection, including accounts that exclusively use FIDO for authentication.\n\nWhile other tools exist to automate device code phishing attacks, they often come with certain limitations, \nsuch as requiring the attacker to convince the victim to open the URL and enter the code within a strict 10-minute time frame.\nThe goal of this tool is to overcomes those limitations by automating the process with a headless browser, which initiates the attack \nas soon as the victim clicks on the phishing link.\n\nThis attack technique is even more dangerous than attacker-in-the-middle (AitM) proxies, because the\nuser **enters their credentials on the original webpage**, making it nearly impossible to detect the phishing attempt based on a suspicious URL.\nAdditionally, the victim might not need to authenticate interactively because a session is still active. \nTherefore, the victim has almost no time to realize that this is not legitimate. \nAnd not to forget that Device Code Flow is undermining FIDO's phishing resistance!\n\nCurrently, this tool is limited to targeting Microsoft Azure Entra users, but the underlying technique is not restricted to any specific vendor.\n\nFor more details, check out the blog post: [Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow](https://denniskniep.github.io/posts/09-device-code-phishing)\n\n## How it works\n1. The attacker sends a URL to the victim\n2. The victim opens that URL\n3. When the URL is opened, a headless browser is started, performing the following automated steps:\n   - Starts the Device Code Flow with `\u003ctenantDomain\u003e` and `\u003cclientId\u003e`\n   - Opens the device-code webpage and enters the corresponding user-code\n   - The device-code webpage forwards to the URL for interactive authentication (By clicking on \"Can't access your account\" and immediately navigating back by clicking the cancel button, see [here](https://github.com/denniskniep/DeviceCodePhishing/blob/main/pkg/entra/devicecode.go#L101))\n   - Returns the URL for interactive authentication as a redirect to the victim\n4. The victim is redirected to the authentication URL\n5. The victim completes the authentication\n6. The attacker is authenticated\n\nA demo video of the flow can be seen [here](#demo)  \n\n## Install\nDownload appropriate binary from [Releases](https://github.com/denniskniep/DeviceCodePhishing/releases)\nor install via go using following command:\n```shell\ngo install github.com/denniskniep/DeviceCodePhishing@v1.1.0\n```\n\n## Start the phishing server\nSpecify the TenantDomain with `--domain`. By default, it runs with the AuthenticationBroker ClientId `29d9ed98-a469-4536-ade2-f981bc1d605e`. Use the args if one want to define a different clientId or a custom userAgent\n```shell\nDeviceCodePhishing server --domain \u003ctenantDomain\u003e --client-id \u003cclientId\u003e --user-agent \u003cuserAgent\u003e \n```\nFor further help on syntax or how to use arguments execute:\n```shell\nDeviceCodePhishing server --help\n```\n\n## Use\nOpen Url:\nhttp://localhost:8080/lure\n\n\n## Azure Entra ClientIds\n\n| ClientId                             | Description                     |\n|--------------------------------------|---------------------------------|\n| 29d9ed98-a469-4536-ade2-f981bc1d605e | Microsoft Authentication Broker |\n| 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | Microsoft Intune Company Portal |\n\nHint: Use Microsoft Intune Company Portal for bypassing Intune compliant device Conditional Access Policy ([More Details](https://i.blackhat.com/EU-24/Presentations/EU-24-Chudo-Unveiling-the-Power-of-Intune-Leveraging-Intune-for-Breaking-Into-Your-Cloud-and-On-Premise.pdf))\n\n## Next steps with obtained tokens\nOnce you have successfully obtained tokens, you can use them with other attack tools, such as:\n* https://github.com/dafthack/GraphRunner\n* https://github.com/f-bader/TokenTacticsV2?tab=readme-ov-file#azure-json-web-token-jwt-manipulation-toolset\n* https://github.com/secureworks/family-of-client-ids-research\n\n\n## Build it yourself \n```shell\ngo build main.go\n```\n\n```shell\n./main server\n```\n\n## Run with Docker\n```shell\ndocker run -p 8080:8080 ghcr.io/denniskniep/device-code-phishing:v1.1.0\n```\n\n\n## Build \u0026 Run it yourself with Docker\n```shell\ndocker build . -t device-code-phishing\n```\n\n```shell\ndocker run -p 8080:8080 device-code-phishing\n```\n\n## Disclaimer\nProvided as educational content only!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenniskniep%2Fdevicecodephishing","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdenniskniep%2Fdevicecodephishing","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenniskniep%2Fdevicecodephishing/lists"}