SquarePhish: OAuth Device Code Phishing Toolkit

by ddos · September 30, 2025

SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device Code authentication flow and QR codes.

Attack Flow

Step 1: QR Code Email

An attacker will send an initial email to the victim that contains a QR code pointing at the SquarePhish server. The idea behind this is to wait until the user is actively reviewing their email before we trigger the OAuth Device Code flow that has a 15 minute expiration window.

The current client id is: Microsoft Authentication Broker
The current scope is: .default offline_access profile openid

INF[2025/04/20 02:29:30] Email sent to victim(s): minnow@victim.com

Step 2: Victim Scans QR Code

The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker controlled SquarePhish server, with a URL paramater set to their email address. Once the SquarePhish server recieves the incoming QR code scan request, the victim will be automatically redirected to Microsoft.

Step 3: Initiate Device Code Flow

When the SquarePhish server recieves the incoming QR code scan request, the OAuth Device Code authentication flow is intiated. The retrieved ‘user code’ is then sent via email to the victim where they are directed to enter the code into the legitimate Microsoft Device Code website.

Once the email is sent to the victim, a goroutine is started that continues to poll the Microsoft Device Code endpoint for valid authentication. This will poll until the device code expires (15 minutes).

[pastacode lang=”markup” manual=”INF%5B2025%2F04%2F20%2002%3A29%3A34%5D%20%5Bminnow%40victim.com%5D%20Link%20triggered%20INF%5B2025%2F04%2F20%2002%3A29%3A34%5D%20%5Bminnow%40victim.com%5D%20Initializing%20device%20code%20flow…%20INF%5B2025%2F04%2F20%2002%3A29%3A34%5D%20%5Bminnow%40victim.com%5D%20Client%20ID%3A%2029d9ed98-a469-4536-ade2-f981bc1d605e%20INF%5B2025%2F04%2F20%2002%3A29%3A34%5D%20%5Bminnow%40victim.com%5D%20Scope%3A%20.default%20offline_access%20profile%20openid” message=”” highlight=”” provider=”manual”/]

Step 4: Victim Authentication

The victim recieves the second email containing the device user code. The victim then enters the code and continues through the authentication process on Microsoft’s Device Code page.

Once valid authentication occurs, the background polling retrieves and saves the access and refresh key data.

[pastacode lang=”markup” manual=”INF%5B2025%2F04%2F20%2002%3A29%3A40%5D%20%5Bminnow%40victim.com%5D%20Polling%20for%20user%20authentication…%0AINF%5B2025%2F04%2F20%2002%3A29%3A40%5D%20%5Bminnow%40victim.com%5D%20Polling%20for%20user%20authentication…%0AINF%5B2025%2F04%2F20%2002%3A29%3A40%5D%20%5Bminnow%40victim.com%5D%20Authentication%20successful%0AINF%5B2025%2F04%2F20%2002%3A29%3A40%5D%20%5Bminnow%40victim.com%5D%20Token%20retrieved%20and%20saved%20to%20database” message=”” highlight=”” provider=”manual”/]

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal