squarephish: advanced phishing tool

SquarePhish

SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.

See PhishInSuits for more details on using OAuth Device Code flow for phishing attacks.

Attack Steps

An attacker can use the email module of SquarePhish to send a malicious QR code email to a victim. The default pretext is that the victim is required to update their Microsoft MFA authentication to continue using mobile email. The current client ID in use is the Microsoft Authenticator App.

By sending a QR code first, the attacker can avoid prematurely starting the OAuth Device Code flow that lasts only 15 minutes.

 

The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker-controlled server (running the server module of SquarePhish), with a URL parameter set to their email address.

 

When the victim visits the malicious SquarePhish server, a background process is triggered that will start the OAuth Device Code authentication flow and email the victim a generated Device Code they are then required to enter into the legitimate Microsoft Device Code website (this will start the OAuth Device Code flow 15-minute timer).

 

The SquarePhish server will then continue to poll for authentication in the background.

The victim will then visit the Microsoft Device Code authentication site from either the link provided in the email or via a redirect from visiting the SquarePhish URL on their mobile device.

advanced phishing tool

 

The victim will then enter the provided Device Code and will be prompted for consent.

advanced phishing tool

 

After the victim authenticates and consents, an authentication token is saved locally and will provide the attacker access via the defined scope of the requesting application.

[2022-04-08 14:32:28,796] [info] [minnow@square.phish] Token info saved to minnow@square.phish.tokeninfo.json

The current scope definition:

“scope”: “.default offline_access profile openid”

Download & Use

Copyright (C) 2022 secureworks