Device code phishing is exploding, and AiTM actors are getting in on it.

We found ODx phishing-as-a-service providing device code capabilities in addition to their AiTM offerings. ODx is one of the most popular AiTM kits currently. It's also tracked as Storm-1167 and FlowerStorm.

In the observed campaign, the actor used compromised senders to deliver URLs leading to the ODx device code phishing landing page.

The landing pages included multiple different themes, including impersonating SharePoint, Adobe, and DocuSign.

The campaign leveraged ATO jumping, a technique where an attacker compromises an initial email account and then uses it to send phishing links to a wide set of contacts.

ODx’s device code capabilities are using Kali365, a device code PhaaS. Kali365 is just one of many such kits available for purchase. It’s unclear whether ODx stole or purchased Kali365, or partnered with them to integrate directly into their service.

🚨 Device code phishing is insidious. Threat actors abuse the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 or other enterprise user accounts by approving access for actor-controlled applications.

⚠️ Organizations are advised to block device code authentication where possible; require compliant or joined devices via conditional access policies; and train users to recognize device code phishing attacks.

Read more about device code phishing: https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover?utm_source=twitter&utm_medium=social_organic