device code phishing – Compass Security Blog

Device Code Phishing – Add Your Own Sign-In Methods on Entra ID

TL;DR An attacker is able to register new security keys (FIDO) or other authentication methods (TOTP, Email, Phone etc.) after a successful device code phishing attack. This allows an attacker to backdoor the account (FIDO) or perform the self-service password reset for the account with the newly registered sign-in methods. Microsoft deemed this not a vulnerability.

Up ↑

Compass Security Blog

Offensive Defense

Device Code Phishing – Add Your Own Sign-In Methods on Entra ID

Recent Posts

Categories

Compass Links

Compass Security Blog

Offensive Defense

Device Code Phishing – Add Your Own Sign-In Methods on Entra ID

Recent Posts

Categories

Tags

Compass Links