OAuth Device Code Authorization Phishing Script
 
				Some scripts to utilise device code authorization for phishing.
High level overview as per the instructions as: https://o365blog.com/post/phishing/
- An attacker connects to /devicecodeendpoint and sendsclient_idandresource
- After receiving verification_urianduser_code, create an email containing a link to verification_uri and user_code, and send it to the victim. (delivering the phishing email is not in scope for this project)
- Victim clicks the link, provides the code and completes the sign in.
- The attacker receives access_tokenandrefresh_tokenand can now mimic the victim (Interact with the various Microsoft API endpoints to perform various tasks).
Some of the API endpoints include:
Note: Uses version 1.0 which is different to v2.0 flow used in the documentation.
The official Microsoft Device Code Authorization Flow documentation can be found