Graphish is an open-source, highly modular phishing-as-a-service (PhaaS) kit that specializes in OAuth device code phishing attacks targeting Microsoft 365 (M365) and Entra ID (Azure AD) environments. First documented in detail by Proofpoint in late 2025, Graphish quickly became one of the most widely adopted tools in underground communities for compromising enterprise email accounts. Its name derives from its heavy reliance on Microsoft Graph API permissions to request broad, high-risk OAuth scopes (e.g., Mail.ReadWrite, Files.Read.All, User.Read.All).
Unlike traditional phishing kits that focus on credential harvesting via fake login pages, Graphish primarily exploits the legitimate OAuth 2.0 device authorization grant flow (RFC 8628) to obtain persistent access and refresh tokens directly from Microsoft — without ever needing the victim’s password and while fully honoring multi-factor authentication (MFA).
Graphish is distributed for free on exclusive, vetted cybercrime forums (often requiring reputation or invitation), complete with detailed documentation, making it accessible to mid- and low-tier attackers. It has been linked to both financially motivated groups (e.g., TA2723, Scattered Spider affiliates) and nation-state actors (e.g., Russia-linked UNK_AcademicFlare and Storm-2372).
Graphish represents a mature evolution in phishing infrastructure — free, feature-rich, and devastatingly effective against even well-defended M365 environments. Its widespread adoption in 2025 underscores the urgent need for organizations to disable unnecessary OAuth flows and treat all unsolicited consent prompts as malicious. If you administer Microsoft 365, verify today that device code flow is blocked in your tenant.
Unlike traditional phishing kits that focus on credential harvesting via fake login pages, Graphish primarily exploits the legitimate OAuth 2.0 device authorization grant flow (RFC 8628) to obtain persistent access and refresh tokens directly from Microsoft — without ever needing the victim’s password and while fully honoring multi-factor authentication (MFA).
Graphish is distributed for free on exclusive, vetted cybercrime forums (often requiring reputation or invitation), complete with detailed documentation, making it accessible to mid- and low-tier attackers. It has been linked to both financially motivated groups (e.g., TA2723, Scattered Spider affiliates) and nation-state actors (e.g., Russia-linked UNK_AcademicFlare and Storm-2372).
Core Architecture and Technical Components
Graphish is written primarily in PHP and JavaScript, with a modular design that includes:- OAuth Device Code Engine:
- Automates requests to Microsoft’s /devicecode endpoint using attacker-registered Azure AD application client IDs.
- Handles polling for token issuance after victim consent.
- Captures access tokens, refresh tokens, and ID tokens for immediate and long-term use.
- Adversary-in-the-Middle (AiTM) Proxy Layer:
- Optional Evilginx2-style reverse proxy integration for session hijacking.
- Allows real-time interception even if the primary goal is token theft.
- Phishing Template Engine:
- Pre-built, highly convincing templates mimicking:
- OneDrive/SharePoint file shares (“Salary_Report_2025.pdf shared with you”).
- Microsoft Teams voicemail or chat notifications.
- HR/payroll documents, security alerts, or Docusign requests.
- Supports dynamic content injection (victim name, company logo pulled from public sources).
- Pre-built, highly convincing templates mimicking:
- QR Code (Quishing) Module:
- Generates QR codes embedding the device code prompt for mobile redirection.
- Particularly effective in hybrid campaigns (email → QR → mobile consent).
- Azure App Registration Guidance:
- Step-by-step instructions for creating malicious apps.
- Tips for achieving “publisher verification” status to bypass some Conditional Access restrictions.
- Recommended high-impact permission scopes.
- Admin Dashboard:
- Real-time victim tracking (codes issued, consents granted, tokens captured).
- Export functionality for stolen tokens.
- Campaign management (multiple simultaneous lures).
- Evasion Features:
- Minimal use of fake login pages — critical consent occurs on legitimate microsoft.com/devicelogin.
- Obfuscated JavaScript and server-side checks to hinder analysis.
- SSL pinning on attacker domains (Let’s Encrypt or stolen certs).
Typical Attack Flow Using Graphish
- Preparation:
- Attacker registers one or more Azure AD apps (often with benign-sounding names like “Document Viewer App” or “Corporate Portal”).
- Deploys Graphish on a VPS or compromised server with a credible domain.
- Distribution:
- Emails sent from compromised accounts (for trust) or bulk spam.
- Common 2025 lures observed:
- “October Payroll Adjustment – View Document”
- “New Voicemail in Microsoft Teams”
- “Shared OneDrive File Requires Verification”
- Victim Engagement:
- Victim clicks embedded link or scans QR code.
- Lands on attacker-hosted page displaying: “To access the secure document, go to https://microsoft.com/devicelogin and enter code: XYZ8-AB12”.
- Consent and Compromise:
- Victim authenticates on the real Microsoft page (completes MFA).
- Approves broad permissions.
- Graphish dashboard instantly receives tokens.
- Exploitation:
- Immediate access via Microsoft Graph API.
- Common follow-on: inbox rule creation, data exfiltration, lateral phishing.
Evolution and Variants
- Early versions (September–October 2025): Basic device code + simple templates.
- Mid-2025 updates: Added full AiTM, QR support, and publisher verification bypasses.
- Late 2025 forks: Community modifications for targeting Google Workspace (limited success) and integrating with post-exploitation tools like Cobalt Strike beacons via token impersonation.
Why Graphish Is Particularly Dangerous
- Democratizes advanced attacks: No deep technical knowledge required.
- High success rate: Victims see only legitimate Microsoft domains during the critical step.
- Persistence: Refresh tokens valid for 90 days (extendable).
- Stealth: Minimal indicators of compromise (no stolen passwords, no rogue sign-ins from foreign IPs if tokens used carefully).
Detection Indicators
- New Azure AD apps with generic names requesting offline_access, Mail., Files. scopes.
- Sign-ins from “Microsoft Azure Device Code Flow” client.
- Unusual consent grants in Entra audit logs.
- Emails with links to non-Microsoft domains prompting device code entry.
Mitigation Strategies
- Primary Defense: Block the device code flow entirely in Microsoft Entra Conditional Access policies (most organizations have no legitimate need for it).
- Restrict Consent:
- Disable user consent for third-party apps.
- Require admin approval for high-risk scopes.
- Monitoring:
- Alert on new app registrations or consents.
- Detect anomalous token usage via Microsoft Defender for Cloud Apps.
- User Awareness:
- Train employees: “Never enter a code at microsoft.com/devicelogin prompted by email or QR code.”
- Legitimate device codes appear on the device itself (e.g., smart TV), not via external messages.
Graphish represents a mature evolution in phishing infrastructure — free, feature-rich, and devastatingly effective against even well-defended M365 environments. Its widespread adoption in 2025 underscores the urgent need for organizations to disable unnecessary OAuth flows and treat all unsolicited consent prompts as malicious. If you administer Microsoft 365, verify today that device code flow is blocked in your tenant.