Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts
Summary:
Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor. Active since August 2024, this campaign has successfully targeted organizations across various critical sectors, including government, non-governmental organizations, IT services, defense, telecommunications, healthcare, higher education, and the energy industry—including oil and gas. With operations spanning Europe, North America, Africa, and the Middle East, Storm-2372 strategically focuses on entities that hold sensitive data or play key roles in critical infrastructure. Microsoft assesses with medium confidence that this activity aligns with Russian state interests based on its targeting patterns and operational techniques.
Storm-2372 employs sophisticated social engineering tactics to gain initial access to victim accounts. The actor first engages targets via messaging platforms like WhatsApp, Signal, and Microsoft Teams, impersonating trusted individuals or industry figures to build rapport. Once trust is established, they send phishing emails masquerading as Microsoft Teams meeting invitations, tricking recipients into authenticating via a device code—a legitimate authentication mechanism designed for input-constrained devices that cannot perform interactive web-based sign-ins. When a victim enters the attacker-provided code on a legitimate Microsoft sign-in page, Storm-2372 captures the authentication tokens, granting them unauthorized access to the target’s account and associated services. These tokens allow the attacker to maintain persistent access without needing the victim’s password, as long as the tokens remain valid.
Post-compromise, Storm-2372 rapidly expands its foothold within an organization by leveraging compromised accounts to send additional phishing emails, enabling lateral movement. The group has been observed using Microsoft Graph API to conduct reconnaissance, searching compromised inboxes for sensitive keywords such as "username," "password," "admin," "credentials," "secret," "ministry," and "gov." Once relevant data is identified, the attacker exfiltrates the information using API-based email harvesting techniques. By exploiting valid authentication tokens, Storm-2372 bypasses traditional credential-based security measures, making detection more challenging.
Security Officer Comments:
Given the severity and persistence of this campaign, Microsoft continues to track Storm-2372 closely, notifying affected organizations and sharing detection and mitigation strategies. The company is also monitoring other threat actors employing similar device code phishing techniques, as documented in recent research by Volexity. To defend against such attacks, organizations are urged to implement conditional access
Suggested Corrections:
To harden networks against the Storm-2372 activity described above, defenders can implement the following:
https://www.microsoft.com/en-us/sec...-2372-conducts-device-code-phishing-campaign/
Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor. Active since August 2024, this campaign has successfully targeted organizations across various critical sectors, including government, non-governmental organizations, IT services, defense, telecommunications, healthcare, higher education, and the energy industry—including oil and gas. With operations spanning Europe, North America, Africa, and the Middle East, Storm-2372 strategically focuses on entities that hold sensitive data or play key roles in critical infrastructure. Microsoft assesses with medium confidence that this activity aligns with Russian state interests based on its targeting patterns and operational techniques.
Storm-2372 employs sophisticated social engineering tactics to gain initial access to victim accounts. The actor first engages targets via messaging platforms like WhatsApp, Signal, and Microsoft Teams, impersonating trusted individuals or industry figures to build rapport. Once trust is established, they send phishing emails masquerading as Microsoft Teams meeting invitations, tricking recipients into authenticating via a device code—a legitimate authentication mechanism designed for input-constrained devices that cannot perform interactive web-based sign-ins. When a victim enters the attacker-provided code on a legitimate Microsoft sign-in page, Storm-2372 captures the authentication tokens, granting them unauthorized access to the target’s account and associated services. These tokens allow the attacker to maintain persistent access without needing the victim’s password, as long as the tokens remain valid.
Post-compromise, Storm-2372 rapidly expands its foothold within an organization by leveraging compromised accounts to send additional phishing emails, enabling lateral movement. The group has been observed using Microsoft Graph API to conduct reconnaissance, searching compromised inboxes for sensitive keywords such as "username," "password," "admin," "credentials," "secret," "ministry," and "gov." Once relevant data is identified, the attacker exfiltrates the information using API-based email harvesting techniques. By exploiting valid authentication tokens, Storm-2372 bypasses traditional credential-based security measures, making detection more challenging.
Security Officer Comments:
Given the severity and persistence of this campaign, Microsoft continues to track Storm-2372 closely, notifying affected organizations and sharing detection and mitigation strategies. The company is also monitoring other threat actors employing similar device code phishing techniques, as documented in recent research by Volexity. To defend against such attacks, organizations are urged to implement conditional access
Suggested Corrections:
To harden networks against the Storm-2372 activity described above, defenders can implement the following:
- Only allow device code flow where necessary. Microsoft recommends blocking device code flow wherever possible. Where necessary, configure Microsoft Entra ID’s device code flow in your Conditional Access policies.
- Educate users about common phishing techniques. Sign-in prompts should clearly identify the application being authenticated to. As of 2021, Microsoft Azure interactions prompt the user to confirm (“Cancel” or “Continue”) that they are signing in to the app they expect, which is an option frequently missing from phishing sign-ins.
- If suspected Storm-2372 or other device code phishing activity is identified, revoke the user’s refresh tokens by calling revokeSignInSessions. Consider setting a Conditional Access Policy to force re-authentication for users.
- Implement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multi-factor authentication.
- When a user is a high risk and Conditional access evaluation is enabled, the user’s access is revoked, and they are forced to re-authenticate.
- For regular activity monitoring, use Risky sign-in reports, which surface attempted and successful user access activities where the legitimate owner might not have performed the sign-in.
- Require multifactor authentication (MFA). While certain attacks such as device code phishing attempt to evade MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
- Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
- Block legacy authentication with Microsoft Entra by using Conditional Access. Legacy authentication protocols do not have the ability to enforce MFA, as legacy MFA (per-user MFA prompts) is susceptible to abuse.
- Centralize your organization’s identity management into a single platform. If your organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third-party for identity management, ensure this data is being logged in a SIEM or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location. The added benefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Entra ID’s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize all user accounts except administrative and high privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
- Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Entra ID environments to slow and stop attackers.
https://www.microsoft.com/en-us/sec...-2372-conducts-device-code-phishing-campaign/