roze.ma

defeasible blogging

Notes on Phishing the Phishing Resistant

TITLE:

Phishing the Phishing Resistant: Phishing for Primary Refresh Tokens in Microsoft Entra

Slides

SUMMARY:

Dirk-jan Mollema discusses the vulnerabilities in Microsoft’s phishing-resistant authentication systems, focusing on phishing for Primary Refresh Tokens (PRT) in Microsoft Entra (formerly Azure AD). The lecture covers the token architecture, Windows Hello authentication, token upgrades, and phishing strategies, providing methods for detecting and mitigating such attacks.

OUTLINE:

  1. Introduction
    • Presenter: Dirk-jan Mollema
    • Overview of research in Microsoft Entra
    • Focus on phishing for Primary Refresh Tokens (PRTs)
  2. Microsoft Entra Tokens
    • Types of tokens: Access, Refresh, and Primary Refresh Tokens (PRTs)
    • Token usage on unmanaged vs managed Windows hosts
    • Token pyramid: Hierarchical structure of tokens from least to most privileged
  3. Windows Hello Authentication
    • Overview of Windows Hello for Business (WHFB)
    • Cryptographic keys for passwordless authentication
    • Provisioning WHFB keys via device and PRT
  4. Phishing “Resistant” Authentication
    • Overview of phishing-resistant methods: FIDO keys, Windows Hello, Passkeys
    • Limitations: device code phishing, OAuth consent phishing, malware
  5. Windows Hello Key Provisioning
    • Technical components: Device identity, PRT, TPM
    • NGC MFA and the need for fresh MFA prompts during provisioning
    • Token requirements for WHFB provisioning
  6. Token Upgrades during Windows Setup
    • Windows setup behavior and token upgrade flow
    • Use of the Microsoft Authentication Broker client ID to upgrade refresh tokens to PRTs
  7. Phishing for PRTs
    • Credential phishing approach: Steps to capture refresh tokens and upgrade them to PRTs
    • Device code phishing approach: Using device code flows to phish for PRTs
  8. Detection and Mitigations
    • Strategies to mitigate phishing attacks, including requiring phishing-resistant MFA and restricting device code flows
    • Detecting suspicious behavior through log analytics and monitoring new devices

IDEAS:

  1. Microsoft Entra (formerly Azure AD) uses a hierarchical token structure for authentication.
  2. Primary Refresh Tokens (PRTs) facilitate Single Sign-On (SSO) and connect a user to their device.
  3. Windows Hello for Business (WHFB) enables passwordless authentication using cryptographic keys tied to devices.
  4. Phishing-resistant authentication methods aim to combat credential phishing but have limitations.
  5. Device code phishing and OAuth consent phishing bypass traditional phishing-resistant methods.
  6. Microsoft’s token hierarchy prevents upgrading weaker tokens like access tokens into PRTs.
  7. The Microsoft Authentication Broker allows refresh tokens to be upgraded to PRTs during Windows setup.
  8. Attackers can exploit the Windows setup flow to elevate refresh tokens to PRTs.
  9. Credential phishing can capture tokens using fake login pages.
  10. Device code phishing tricks users into authenticating a malicious device by using legitimate Microsoft login flows.
  11. WHFB provisioning relies on MFA to ensure secure enrollment of cryptographic keys.
  12. The use of Trusted Platform Modules (TPM) secures cryptographic keys and PRT session keys.
  13. Windows Hello for Business provides strong authentication but can be compromised through token phishing.
  14. Monitoring device registration and PRT provisioning can help detect malicious activity.
  15. Enforcing compliant or hybrid-joined devices in conditional access policies limits exposure to phishing attacks.
  16. Device code phishing allows attackers to bypass the need for fake login pages.
  17. Disabling or restricting device code flows can mitigate phishing attempts.
  18. Log analytics and Microsoft Sentinel can be used to detect device code phishing activity.
  19. Recent MFA claims in tokens indicate a fresh authentication prompt, improving security.
  20. Research tools like ROADtools can be used to simulate phishing attacks on Entra tokens.

QUOTES:

  1. “Primary Refresh Tokens are Single Sign On tokens and can be used to sign in to any application and any Entra connected website.”
  2. “Windows Hello for Business uses cryptographic keys that are unlocked using a PIN or with biometrics to authenticate.”
  3. “Phishing-resistant methods focus primarily on protecting against credential phishing on fake login pages.”
  4. “Device code phishing allows attackers to use the legitimate Microsoft login pages to gain access to tokens.”
  5. “Windows uses the Microsoft Authentication Broker client ID during setup to upgrade refresh tokens to Primary Refresh Tokens.”
  6. “Primary Refresh Tokens always need a session key to be used, and the session keys are protected by a Trusted Platform Module.”
  7. “Credential phishing can be prevented by requiring phishing-resistant MFA, but other methods like device code phishing still pose a risk.”
  8. “Monitoring for newly registered devices with Windows Hello for Business key registration is essential to detecting potential phishing attacks.”
  9. “The key to successful phishing attacks on Entra lies in the ability to upgrade refresh tokens to Primary Refresh Tokens.”
  10. “Even if you phish for credentials, you can upgrade those tokens and turn them into a full Single Sign On token with persistence.”

RECOMMENDATIONS:

  1. Enforce phishing-resistant MFA across all user accounts to reduce credential phishing risks.
  2. Require compliant or hybrid-joined devices for accessing sensitive resources.
  3. Restrict device code flow authentication to internal or trusted networks.
  4. Monitor newly registered devices, particularly those enrolling Windows Hello for Business keys.
  5. Implement Intune restrictions to prevent unauthorized device enrollment.
  6. Regularly audit logs using tools like Microsoft Sentinel to detect unusual sign-in behaviors.
  7. Disable or limit the Microsoft Authentication Broker client to prevent token upgrades during setup.
  8. Use Conditional Access policies to enforce stricter authentication for high-risk users.
  9. Educate users on the dangers of device code phishing and ensure awareness of phishing tactics.
  10. Deploy tools like ROADtools for internal testing and to simulate phishing attempts, identifying vulnerabilities.

ONE SENTENCE SUMMARY:

Phishing attacks can bypass Microsoft’s phishing-resistant methods by targeting Primary Refresh Tokens through credential and device code phishing, but can be mitigated with enhanced MFA and device compliance policies.

Andrew Rozema

Leave a Reply

Discover more from roze.ma

Subscribe now to keep reading and get access to the full archive.

Continue reading