Device Codes
One of the key features of GraphSpy is the ability to generate and poll the status of multiple device codes at once.
If you are not familiar with Device Code authentication and phishing, it is explained in more detail below.
A device code can easily be generated by selecting a Resource and Client ID, and clicking on the submit button. For convenience, a list of commonly used Resources and Client IDs will be shown, although you are completely free to specify a custom value as well.
As explained below, the Client ID is important when performing a device code phishing attack, as the friendly name linked to the selected Client ID will be shown to the victim after they fill in the user code.
The "user code" (i.e. the 9-character code which needs to be filled in to the https://microsoft.com/devicelogin page) can be copied to your clipboard using the copy icon. Alternatively, click the delete icon if you want to delete the entry from the database (this will also stop polling it if it has not expired yet).
The "device code" itself is what is used in the background to poll its status. In most cases, you will not need this, although you can view it if needed using the drop-down button.
When a new device code is generated, all relevant information is stored in the database and GraphSpy will start a different polling thread in the background (if it is not running already). This polling thread will automatically poll all active device codes stored in the database every 5 seconds, and update its status if required.
The device codes page refreshes the table with the latest information every 5 seconds. However, polling itself happens on the GraphSpy server, so you can safely navigate to a different page or close the browser without impacting the device code polling.
The polling thread quits when there are no active device codes anymore to poll. However, generating a new device code will obviously cause the polling thread to start again.
Note: If you stop and restart GraphSpy process in the middle of polling, this will obviously kill the polling thread as well. Since the polling thread does not automatically start, you can use the Restart Polling button to start the polling process again in this case.
This section will provide a brief summary of device code authentication. For more information, please refer to the documentation.
Device code authentication is intended to allow a user to log in to an application on one device (Device A), by signing in to their account on a different device (Device B).
This is particularly useful when Device A is an input-constrained device (e.g. a smart TV, printer, IoT device, ...) and Device B is a device where you may or may not be already signed in with your account.
One more common example where device code authentication is used is in the Azure CLI. As described in the Azure CLI documentation, the device code flow is used when the Azure CLI can not automatically open a web browser when using the az login command.
So how does it actually work when a user wants to sign in to Device A from Device B using the device code flow?
In practice, the flow is initiated by Device A by sending a request to Microsoft to generate a device code for a specific Resource and Client ID. You can think of the resource as the actual (cloud) application you want to be signed in to (e.g. SharePoint, Microsoft Teams, Azure AD, Outlook, Microsoft Graph API, ...) and the Client ID as the client application on your device from which you access that resource (e.g. The Microsoft Teams program on your Windows PC, or the Outlook app on your mobile phone).
When a device code is requested, Microsoft will generate two types of codes and return these in the response: a Device Code and a User Code.
The Device Code is used by Device A to poll the status of the authentication attempt. The status should be polled every 5 seconds (as implied by the interval parameter which Microsoft returns and is always set to 5.) The Device Code itself is not very user-friendly as it is relatively long. During a normal device code flow, this code is not shown to the user as it is not really relevant to them.
In contrast, the User Code is a fairly short 9-character alphanumeric code. This code will be displayed by Device A together with instructions on how to use it.
At this point, the user is expected to go to Device B and fill in this User Code on a special Microsoft login page:
For easier access to this page without having to type the full URL, the following two legitimate Microsoft URLs will also take you to this website:
More information here.