In a concerning development, cybersecurity experts have identified a sophisticated phishing campaign orchestrated by the group known as Storm-2372. This threat actor, suspected to have links to Russia, has been exploiting a technique called "device code phishing" since August 2024. The campaign primarily targets governments, non-governmental organizations (NGOs), and various industries worldwide, aiming to steal login tokens and compromise accounts.

Understanding Device Code Phishing

Device code phishing is a method that manipulates authentication processes to capture login tokens. These tokens allow attackers to gain unauthorized access to user accounts and sensitive data. The persistence of access is maintained as long as the tokens remain valid, posing a significant security risk to the affected organizations.

How the Attack Unfolds

Microsoft Threat Intelligence researchers have observed that Storm-2372 employs phishing messages disguised as legitimate Microsoft Teams meeting invitations. When recipients click on these invitations, they are redirected to a page prompting them to authenticate using a device code generated by the attackers.

  • Token Capture: The attackers receive a valid access token once the user completes the authentication process.
  • Account Compromise: With the token, attackers can access the user's accounts and data, potentially moving laterally within the network.

Targets and Impact

The campaign has been active across multiple regions, including Europe, North America, Africa, and the Middle East. Storm-2372's targets span various sectors, such as IT services, defense, telecommunications, health, higher education, and energy. The group's activities align with Russian interests, as assessed by Microsoft with medium confidence.

Technical Advancements in the Attack

Following the publication of Microsoft's report, Storm-2372 adapted their tactics by utilizing the specific client ID for Microsoft Authentication Broker in the device code sign-in flow. This allows them to register devices, obtain Primary Refresh Tokens, and access resources like emails while masking their activities using regional proxies.

Mitigation Strategies

Organizations are advised to implement several measures to defend against such attacks:

  • Block Device Code Flow: Disable device code flow wherever feasible to prevent unauthorized access.
  • Enable Multi-Factor Authentication (MFA): MFA adds an additional layer of security, making it harder for attackers to gain access.
  • Principle of Least Privilege: Limit user permissions to the minimum necessary to reduce the potential impact of a compromised account.
The link has been copied!