OAuth 2.0 Abuse

OAUth is a protocol that allows third-party applications to access services with access tokens, avoiding the disclosure of the user's credentials. What we can do as an attacker is create a malicious OAuth app to coerce users into granting the application access; the main advantage with this technique is that, even if the user changes credentials, the access token granted to the app will still be valid until its expiration bypassing even MFA.

Normally this technique is used when the user is easily convinced of the validity of the application, for example if we already own a user that can create applications and we want to phish users in the same tenant, but it's possible to use an application from a different tenant.

To create this kind of application we can use PynAuth; with this it's as simple as creating a new application in the tenant, allowing API access to any AAD directory and generating the secret to configure the script.

It's worth noting that the script allows to request a token for a set of permissions

...
# You can find the proper permission names from this document
# https://docs.microsoft.com/en-us/graph/permissions-reference
SCOPE = ["STRING LIST OF NEEDED PERMISSIONS"]
#SCOPE = ["User.Read"]
...

so it's best to pick only permissions we really need.

After starting the app.py script we are able to visit 127.0.0.1:5000/login and copy the "Sign In" link and send it to other users.