Skip to main content

EN-C022-043-auth-monitoring-device-code-phishing-fuse

English

[EN-C022-043] Auth Monitoring: Device Code Phishing Fuse

Overview

This pattern detects and contains OAuth Device Code phishing (abuse of legitimate verification flows) by correlating identity, network, and token-usage telemetry in near real time.

Use Case

  • Same user approves multiple device codes across distant regions within minutes.
  • User-agent, ASN, or device posture diverges from baseline.
  • Token/API activity spikes immediately after approval.

OpenClaw Implementation Steps

  1. Enable config
    • Turn on cron, sessions_spawn, and message integrations.
    • Schedule 1–5 minute polling jobs for auth telemetry.
  2. Acquire APIs
    • Generate IdP audit API credentials (OIDC provider).
    • Add reverse-proxy or zero-trust event API tokens.
  3. Operational setup
    • Ingest approval and token events via cron.
    • Use split roles: detection agent + verifier sub-agent (sessions_spawn).
    • On high risk, launch user challenge and temporary token freeze via sessions_send.

Trend Signals (GitHub/Reddit + V2EX/GitHub CN)

  • English communities: strong growth in detection rules for “legitimate flow abuse.”
  • Chinese communities: increasing focus on approval-log correlation in enterprise zero-trust rollouts.

Registry ID: EN-043 | Status: Draft-Verified | Language: English