The technique, originally developed by Felix Äppli in 2024, no longer works – but Jan-Tilo Kirchhoff presents an updated version that continues to be successful and demonstrates it live. By exploiting the OAuth2 Device Authorization Grant Flow and the special rights of the FOCI1 client family, it is possible to establish persistent backdoors – without Microsoft recognizing this as a security vulnerability. The presentation provides technical background information, a proof of concept, and concrete protective measures such as conditional access policies and log analysis. The aim is to create a deeper understanding of this underestimated threat and to provide practical recommendations for action.
 

Compass researched and publi ...