Advisory Details
Overview
Axion Core Technologies has identified an active device code phishing campaign targeting Nigerian organisations across the financial services, technology, and government sectors. This attack exploits a legitimate OAuth 2.0 device authorisation flow — typically used for input-limited devices like smart TVs — to trick employees into granting attackers persistent, unauthorised access to corporate accounts.
The attack is particularly dangerous because the victim interacts with a genuine login page on a trusted domain, making it very difficult to detect through standard phishing awareness training.
How the Attack Works
- Initiation: The attacker initiates a legitimate login request to a cloud service (Microsoft 365, Google Workspace, GitHub) using an attacker-controlled device, which generates a short-lived device code.
- Social Engineering: The attacker contacts the victim via email, WhatsApp, Microsoft Teams, or SMS with an urgent message — often a fake meeting invite, shared document, or IT support request — containing the generated device code and a link to the genuine provider login page.
- Victim Action: The victim, trusting the familiar URL, navigates to the legitimate login page, enters the device code, and completes their own MFA process.
- Persistent Access: Once the victim authenticates, the service issues valid access and refresh tokens to the attacker’s device. The attacker now has continuous, MFA-bypassed access to the victim’s email, files, and internal systems.
Why This Attack Is Effective
- Victims interact with a real, trusted login URL — not a spoofed domain
- Captured tokens bypass MFA entirely, as they represent post-authentication credentials
- Refresh tokens can remain valid for weeks or months, providing long-term access
- The attack leaves minimal forensic traces and can be difficult to detect without dedicated token monitoring
Indicators of Compromise
- Unexpected device code sign-in events in Azure AD / Entra ID audit logs
- Sign-ins from unusual geographic locations or IP addresses shortly after a device code flow
- Multiple device code authorisation requests initiated from a single attacker IP
- Unusual email forwarding rules or inbox access from unrecognised applications
⚠ Affected Systems & Products
- Microsoft 365 / Entra ID
- Google Workspace
- GitHub Enterprise
- Any service using OAuth 2.0 device authorisation flow
✔ Mitigation & Remediation
- Train all staff to never enter a device code unless they personally initiated a device login flow.
- In Microsoft Entra ID / Azure AD, restrict or block the device code authentication flow via Conditional Access policies if not required for business operations.
- Enable risk-based authentication to flag anomalous sign-in attempts.
- Deploy FIDO2 hardware tokens or passkey-based MFA, which is resistant to token-capture attacks.
- Monitor authentication logs continuously for unexpected device code flows, particularly from unfamiliar IPs or geographic locations.
- Have a documented incident response procedure to revoke user refresh tokens immediately on suspected compromise.
External References
Disclaimer: This advisory is provided for informational purposes only. Axion Core Technologies makes no warranties regarding the accuracy or completeness of the information contained herein. Organisations should conduct their own assessment and implement appropriate security measures.
