Microsoft has uncovered a new set of cyberattacks linked to a group known as Storm-2372, which is using a device code phishing technique to hijack accounts.
These attacks, attributed to Russian interests, have been targeting various sectors, including government organizations, NGOs, IT services, defense, and telecommunications, since August 2024.
The attacks have spanned Europe, North America, Africa, and the Middle East.
How Device Code Phishing Works
The attackers are employing a clever phishing tactic, where they send out phony Microsoft Teams meeting invitations designed to trick victims into logging in using device codes.
Once the victim enters the device code on a legitimate-looking sign-in page, the hackers capture the authentication tokens, which they use to access the victim’s account.
Impact and Danger
These authentication tokens enable the hackers to gain access to sensitive data and other services linked to the compromised account, such as cloud storage or email, without needing the user’s password.
The attackers also gain persistent access to the victim’s environment as long as the tokens remain valid.
Once inside, the attackers can move laterally within the network, compromising other accounts and searching for sensitive information.
They have been using Microsoft Graph to search messages for terms like “username,” “password,” “admin,” “credentials,” and even “secret” to exfiltrate valuable data.
Mitigation Strategies
To protect against this type of attack, Microsoft recommends organizations to block device code flow where possible and implement phishing-resistant multi-factor authentication (MFA).
Additionally, applying the principle of least privilege can limit the potential damage caused by a compromised account.
By staying aware of these tactics and improving their security protocols, organizations can better defend against the growing threats of device code phishing and other evolving cyberattacks.
