13th and 14th February, 2026
Kaapelitehdas, Helsinki Finland
SquarePhish 2.0 QR Code OAuth 2.0 Device Code Flow Phishing for Primary Refresh Token
Nevada Romsdahl
Kam Talebzadeh
SquarePhish is an advanced phishing tool that uses a technique combining the OAuth 2.0 Device Code Authentication Flow and QR codes. Version 2.0 of the tool introduces phishing for Primary Refresh Tokens, Microsoft's Single Sign-On token. This token gives attackers broad access to Microsoft cloud resources.
In the demo, we will cover QR codes, Device Code OAuth 2.0 Flow, FOCI tokens, Primary Refresh Tokens, and putting it all together for advanced phishing attacks. The intent of our tool is to give red teamers and organizations a way to test detection and prevention capabilities.
In the demo, we will cover QR codes, Device Code OAuth 2.0 Flow, FOCI tokens, Primary Refresh Tokens, and putting it all together for advanced phishing attacks. The intent of our tool is to give red teamers and organizations a way to test detection and prevention capabilities.
Nevada Romsdahl
Nevada Romsdahl is a Senior Security Researcher at CrowdStrike with nearly two decades of experience in information security, specializing in offensive security.
Nevada has presented at numerous international security conferences, including Black Hat Arsenal (USA, Europe, and Asia), Cloud Village at DEF CON, BSides Charm, and RSA Conference.
Kam Talebzadeh
Kam Talebzadeh is a red teamer and security researcher. He has developed and published several open-source offensive toolkits including o365spray, BridgeKeeper, and redirect.rules. Currently, he works as a Security Researcher for CrowdStrike. He holds the Offensive Security WebExpert (OSWE) certification.
