CuddlePhish#

CuddlePhish is an OAuth/device-code phishing framework that captures MFA-protected tokens from Microsoft and Google accounts. InfraGuard protects the phishing flow from Safe Links crawlers and scanners.

Config#

domains:
  auth.example.com:
    upstream: "${CUDDLEPHISH_UPSTREAM}"    # e.g. https://127.0.0.1:8443
    profile_type: "cuddlephish"

    campaign_token:
      enabled: true
      token_param: "t"
      tokens:
        - "${CAMPAIGN_TOKEN}"
      score_on_missing: 0.9              # aggressive — non-email visitors almost always blocked

    drop_action:
      type: "redirect"
      target: "https://login.microsoftonline.com"

See config/examples/phishing-cuddlephish.yaml.

Built-in Path Patterns#

CuddlePhish handles OAuth flow routing internally. InfraGuard uses passthrough-style patterns — all paths forward unless allowed_paths is set.

If CuddlePhish endpoints are predictable, restrict:

allowed_paths:
  - "/devicelogin"
  - "/common/oauth2/*"
  - "/common/login"
  - "/kmsi"

Critical: Sandbox Filter#

Microsoft Safe Links and Defender ATP crawl all URLs in emails before delivery. The sandbox filter blocks these crawlers before they interact with the OAuth flow:

enable_sandbox_filter: true    # CRITICAL — blocks Safe Links, Defender ATP

Without this, Microsoft’s sandbox may exhaust the device-code TTL or flag the URL.

Critical: Replay Filter Off#

CuddlePhish OAuth flows involve multiple redirects per session. Replay detection breaks subsequent requests in the same session:

enable_replay_filter: false

Recommended Score Threshold#

block_score_threshold: 0.65

Combined with score_on_missing: 0.9 on the campaign token, anyone without the token hits 0.9 and is blocked. Legitimate targets with the token start at 0.0 and are scored only on other signals.