10 threat hunts with detection queries and analytics
Threat actors abusing device code authentication for phishing are hosting their lure pages on Cloudflare Workers domains (*.workers.dev). These domains are rarely seen in legitimate enterprise email and their presence in email URLs could be an indicator of a device code phishing campaign.
Device code authentication is a legitimate OAuth 2.0 flow designed for input-constrained devices such as IoT hardware and meeting room equipment. Because the flow only requires a user to enter a short code into any browser, threat actors abuse it to phish access tokens without needing to capture credentials. Surfacing all device code authentication events, enriched with device compliance and risk context, provides the baseline visibility needed to detect abuse.
A user authenticating via device code for the first time — with no history of the protocol over the preceding 30 days — is a strong behavioural indicator of phishing. Legitimate device code usage is rare in most enterprises and tends to be associated with specific roles or devices. An unexpected first use of the protocol by a regular user is highly suspicious and warrants immediate triage.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Combined with phishing as a means for initial access.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.
Threat Actors will use token theft as a means of initial access, privilege escalation and persistence. Poorly secured tokens by third parties can increase the risk of token theft and replay.