SquarePhish 2.0 - Turning QR Codes into Entra ID Primary Refresh Tokens
Nevada, Kam
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In this insightful talk at Cloud Village, Nevada and Kam from CrowdStrike unveiled **SquarePhish 2.0**, an advanced phishing framework designed to weaponize QR codes for the acquisition of **Primary Refresh Tokens (PRTs)** from Microsoft Entra ID (formerly Azure Active Directory). Building upon their earlier work, SquarePhish 2.0 significantly enhances an attacker's ability to achieve persistent, single sign-on access across an organization's Microsoft ecosystem, bypassing traditional multi-factor authentication (MFA) and network controls. The presentation meticulously detailed the evolution of the tool, the underlying technical mechanisms, and crucial defensive strategies.
AI review
Solid technical research that advances a real attack primitive — device code phishing to PRT acquisition — with working tooling, an honest attribution to prior art (Dirk-Jan Mollema, Dennis Neep, etc.), and a clear defensive payoff. Not a world-shaking novel contribution, but it's the kind of end-to-end offensive research with concrete defensive guidance that earns its conference slot.