Microsoft Device Code Phishing

 1name: "Microsoft Device Code Phishing"
 2description: |
 3  An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account.
 4
 5  This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.  
 6type: "rule"
 7authors:
 8  - twitter: "ajpc500"
 9references:
10  - "https://aadinternals.com/post/phishing/"
11  - "https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html"
12  - "https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html"
13severity: "medium"
14source: |
15  type.inbound
16
17  // Not from MS as the device code will be generated and sent by the attacker
18  and sender.email.domain.root_domain not in~ ("microsoft.com", "microsoftonline.com")
19
20  // Link to the device code MS pages
21  and any(body.links,
22          (
23            .href_url.url == "https://microsoft.com/devicelogin"
24            or .href_url.url == "https://login.microsoftonline.com/common/oauth2/deviceauth"
25          )
26  )
27
28  // Body text references device codes
29  and (
30    strings.icontains(body.html.display_text, "device code")
31    or 
32    // A nine character string containing a combination of letters and characters
33    regex.icontains(body.html.display_text, '[\W]([A-Z0-9]{9})[\W]')
34  )
35  and (
36    not profile.by_sender().solicited
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )  
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Sender analysis"
50  - "URL analysis"
51id: "61f3ae67-c05c-506f-bbfe-764108a40974"