GitHub Device Code Phishing
What if all it took to compromise a GitHub organization – and thus, the organization’s supply chain – was an eight-digit code and a phone call?
Introducing: GitHub Device Code Phishing.
While security teams have been battling Azure Active Directory device code phishing attacks for years, threat actors have overlooked GitHub’s OAuth2 device flow as an attack vector.
At Praetorian, our Red Team works to identify creative initial access vectors that could have immediate, widespread impact. Given the recent increase in GitHub-related attacks, we feel obligated to share these techniques with the community so Blue Teams can be prepared.
Today, we’ll break down GitHub Device Code phishing, show real-life case studies of how we’ve used the technique to compromise some of the most mature modern organizations, and teach you how to protect your organization from risk.
To read the complete article see: GitHub Device Code Phishing.