Cloud Security
Home Archive by Category "Cloud Security"

Category: Cloud Security

Cloud security (CS) encompasses a set of policies, controls, procedures, and technologies that work together to protect systems, data, and infrastructure. With the increasing adoption of cloud services for storing and processing vast amounts of data, ensuring the security of these services has become paramount. Lucid Security CS assessments aim to address concerns related to the confidentiality, integrity, and availability of data in the cloud while also ensuring compliance with various regulatory requirements. Key aspects of CS include data encryption, identity and access management (IAM), secure application development, and threat detection and response. Encryption helps protect data at rest and in transit, making it unreadable to unauthorized users. IAM ensures that only authenticated and authorized users can access specific resources, thereby reducing the risk of data breaches. Secure application development practices involve incorporating security measures in the software development lifecycle to prevent vulnerabilities in cloud applications. Threat detection and response mechanisms monitor cloud environments for malicious activities and automatically respond to security incidents to minimize their impact. Lucid Security reviews Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and more cloud services to make our clients more secure. Lucid Security provides targeted cloud assessments via cloud penetration testing, as well cloud configuration reviews. Are you concerned with your organizations configurations of assets, permissions, etc.? Implementing cloud architecture and assets can be tricky and confusing with the ever changing features being rolled out by cloud providers.  Contact Lucid Security today to see how we can help you strengthen your cloud assets.
Cloud SecurityRemediation

How to Disable Device Code Authentication in Microsoft 365

A big phishing trend abuses the OAuth Device Code Authentication flow against Microsoft 365 tenants. This type of attack consists of abusing Microsoft’s device code flow by coercing targeted users to enter a generated code into Microsoft’s OAuth device authentication portal here, which will then grant API access to the user’s account. A few reasons this type of attack is very popular and powerful:

1) Microsoft hosts this authentication flow, so it doesn’t require any untrusted third-party links. Typical phishing safety training (like checking the domain in a link) is less effective here.
2) Targeted users simply copy and paste a short code into the authentication prompt. Some tooling now generates the code automatically, so a user just clicks through a Microsoft prompt, “Are you trying to sign in to Microsoft Authentication Broker”
3) A successful phish gives the attacker an access token and allows them obtain a Primary Refresh Token (PRT) to create access tokens scoped however they want. PRTs last for 90 days (with some exceptions and a bit of additional complexity but not important to get into the details here).

Common Device Code Phishing Tooling

There are several tools to perform this type of phishing attack. Lucid uses several open-source frameworks on a regular basis for authorized phishing for our clients:

How to Disable Device Code Authentication

It is typical of Microsoft to introduce something that is a security risk, enable it by default, and not make it very obvious to users that there is a risk / how to disable it. M365 tenants enable device code authentication by default. The main way to disable it is via Conditional Access, per Microsoft.

Create a Conditional Access Policy as follows, per Microsoft. Note: this creates the policy in Report-only mode. If you do not have an established use of device code authentication, enable the policy.
1. First, Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.
3. Select New policy.
4. Under Assignments, select Users or workload identities.
Include, select the users you want to be in-scope for the policy (all users recommended).
Exclude:
– Select Users and groups and choose your organization’s emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
5. Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly ‘All cloud apps’) recommended).
6. Under Conditions > Authentication Flows, set Configure to Yes.
– Select Device code flow.
– Select Done.
7. Under Access controls > Grant, select Block access.
– Select Select.
8. Confirm your settings and set Enable policy to Report-only.
9. Select Create to create your policy.

Once this policy is active, device code authentication is restricted for users.

Conclusion

Lucid performs authorized phishing campaigns on a regular basis, and it is still rare to find tenants with device code authentication disabled. Given the danger of these types of real-world phishing attacks, take action to restrict this authentication flow and further secure your tenant. Need help? Lucid can perform a Microsoft 365 / Azure Configuration Review to help secure your tenant against these types of threats, and others. See our “5 Default M365 Settings to Change Immediately” for additional M365 / Azure security recommendations.

Read More
June 5, 2025 0 Comments by Lucid Security
Best PracticeCloud Security

5 Default M365 Settings to Change Immediately

5 default M365 settings to change immediately.

Read More
February 28, 2024 0 Comments by Lucid Security