AI Security AI安全 3d ago Updated 2d ago 更新于 2天前 46

DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts DEBULL工具滥用微软设备代码流针对M365账户

A new phishing campaign utilizes the "DEBULL" tooling to abuse Microsoft’s legitimate Device Code Flow, bypassing Multi-Factor Authentication (MFA) and stealing session tokens without requiring user passwords. The attack leverages reusable Phishing-as-a-Service (PhaaS) infrastructure, specifically integrating with GraphSpy-derived workflows for post-authentication exploitation of Microsoft 365 and Entra accounts. Threat actors employ social engineering lures, such as fake collaboration or paymen 攻击者利用名为DEBULL的工具化平台,滥用微软Device-Code Flow针对M365账户进行钓鱼,无需伪造密码页面即可绕过MFA。 该活动与微软此前记录的Storm-2372战役高度相似,但通过可复用的后端代理基础设施实现了模块化攻击链。 DEBULL作为PhaaS(钓鱼即服务)平台,允许操作员自定义诱饵页面,并结合GraphSpy等工具进行后渗透数据窃取。 攻击流程通过合法但被劫持的网站作为协调器,诱导用户输入设备代码,从而获取持久化的会话令牌。 此类工具的出现标志着身份盗窃攻击正从单次定制转向标准化、模块化的服务化运营。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • A new phishing campaign utilizes the "DEBULL" tooling to abuse Microsoft’s legitimate Device Code Flow, bypassing Multi-Factor Authentication (MFA) and stealing session tokens without requiring user passwords.
  • The attack leverages reusable Phishing-as-a-Service (PhaaS) infrastructure, specifically integrating with GraphSpy-derived workflows for post-authentication exploitation of Microsoft 365 and Entra accounts.
  • Threat actors employ social engineering lures, such as fake collaboration or payment notifications, directing victims to compromised legitimate websites that orchestrate the device code authentication challenge.
  • This tradecraft shows strong overlaps with the previously documented "Storm-2372" campaign, indicating a shift toward modularized, operator-friendly tools that decouple lure creation from backend identity theft mechanisms.

Why It Matters

This development highlights a critical evolution in identity-based attacks where threat actors are moving away from complex Adversary-in-the-Middle (AitM) setups toward abusing native, trusted authentication protocols like OAuth Device Authorization. For security practitioners, this underscores the urgent need to monitor for anomalous device code generation and non-standard client IDs, as traditional password-based defenses and standard MFA prompts are rendered ineffective by this token-stealing methodology.

Technical Details

  • Mechanism: Attackers initiate a legitimate Microsoft Device Authorization Grant flow, generating a unique user code. Victims are tricked via phishing lures into entering this code and their credentials on a legitimate Microsoft login page, allowing the attacker’s backend broker to poll for and capture the resulting access/refresh tokens.
  • Tooling (DEBULL): A reusable PhaaS platform that provides operator-facing controls for defining lures, HTML/CSS/JS templates, and publishing methods. It acts as the campaign-facing layer, while likely utilizing GraphSpy or similar derived code for the post-authentication layer to manage Microsoft 365 and Entra resources.
  • Infrastructure: The campaign uses compromised legitimate websites (e.g., a Croatian rental site) as intermediaries to host the device code orchestrator. This allows for dynamic code generation upon link click, enabling persistent attack chains even if the initial email is viewed later.
  • Post-Exploitation: Once tokens are harvested, attackers can perform Business Email Compromise (BEC), lateral movement, data exfiltration from SharePoint, and maintain persistent access via Primary Refresh Tokens (PRT), as seen in related platforms like ARToken and EvilTokens.

Industry Insight

  • Shift to Modular PhaaS: The emergence of DEBULL indicates that identity theft capabilities are becoming highly commoditized and modular. Security teams must assume that any sophisticated phishing campaign may be powered by standardized, off-the-shelf broker infrastructure rather than custom-built malware.
  • Monitoring Gaps: Traditional security monitoring often ignores legitimate OAuth flows. Organizations should implement strict Conditional Access policies that restrict device code authentication to known, approved applications and monitor for unusual spikes in device code requests or logins from unexpected client IDs.
  • User Education Limitations: Since this attack uses legitimate Microsoft interfaces, user training alone is insufficient. Defense strategies must rely heavily on technical controls, such as blocking device code flows for high-risk users or enforcing certificate-based authentication where possible.

TL;DR

  • 攻击者利用名为DEBULL的工具化平台,滥用微软Device-Code Flow针对M365账户进行钓鱼,无需伪造密码页面即可绕过MFA。
  • 该活动与微软此前记录的Storm-2372战役高度相似,但通过可复用的后端代理基础设施实现了模块化攻击链。
  • DEBULL作为PhaaS(钓鱼即服务)平台,允许操作员自定义诱饵页面,并结合GraphSpy等工具进行后渗透数据窃取。
  • 攻击流程通过合法但被劫持的网站作为协调器,诱导用户输入设备代码,从而获取持久化的会话令牌。
  • 此类工具的出现标志着身份盗窃攻击正从单次定制转向标准化、模块化的服务化运营。

为什么值得看

本文揭示了高级持续性威胁(APT)组织如何将复杂的身份验证绕过技术封装为标准化的“钓鱼即服务”产品,降低了网络犯罪的门槛。对于安全从业者而言,理解DEBULL等工具的结构化运作机制有助于识别新型PhaaS平台的特征,并优化针对Device-Code Flow的监控策略。

技术解析

  • 攻击机制:利用OAuth 2.0 Device Authorization Grant流程,攻击者通过合法登录界面获取设备代码,诱导受害者输入,从而在无需密码的情况下获得访问令牌,有效绕过多因素认证(MFA)。
  • DEBULL平台架构:这是一个可复用的工具层,提供前端诱饵模板(HTML/CSS/JS编辑)和后端代理功能。操作员可自定义页面名称、Slug及发布方式,后端负责生成和轮询Microsoft Authentication Broker令牌。
  • 后渗透能力:结合GraphSpy或其衍生工作流,攻击者在获取令牌后可执行Post-Exploitation操作,包括访问邮箱、SharePoint数据外泄及业务邮件欺诈(BEC)。
  • 传播与协调:通过劫持合法网站(如克罗地亚租赁网站)作为设备代码协调器,或利用已控制的账户发送包含动态生成代码链接的钓鱼邮件,实现攻击链的自动化启动。
  • 关联威胁情报:该活动与Cisco Talos发现的ARToken面板及EvilTokens平台存在基础设施和API合同上的重叠,表明存在共享的PhaaS生态系统。

行业启示

  • PhaaS专业化趋势:网络犯罪集团正将身份攻击工具化、服务化,攻击者只需关注诱饵设计,底层认证绕过和数据窃取由标准化平台处理,需加强对PhaaS基础设施的监控。
  • MFA局限性警示:传统的基于密码和多因素认证的防御体系在面对合法的OAuth流程滥用时存在盲区,企业需部署基于行为分析和异常令牌使用的检测机制。
  • 供应链与第三方风险:攻击者利用合法但被劫持的网站作为协调节点,凸显了第三方服务和域名信誉在钓鱼攻击中的潜在风险,需加强对外部重定向和非常规登录源头的审查。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全