Russia-backed threat actors have attacked a wide range of organizations in a device-code phishing campaign that has been active since at least August of 2024.
Microsoft Threat Intelligence warned in a blog post Thursday that a Russia-linked threat group it tracks as Storm-2372 is using a specific phishing technique that games the device-code authentication flows for applications in order to capture tokens, which the attackers then use to gain access to targeted accounts. The post warned that Storm-2372's "active and successful" campaign created lures that mimicked Microsoft Teams, Signal and WhatsApp.
According to Microsoft, Storm-2372 has targeted government entities and organizations in the IT, defense, telecommunications, health, higher education, and energy sectors across Europe, North America, Africa, and the Middle East.
Device codes are numeric or alphanumeric codes that are used to authenticate an account on a device that cannot complete the interactive authentication web flow. In device-code phishing attacks, threat actors prompt the application or service to generate a device code and then trick the targeted users into entering it into a legitimate sign-in portal.
"This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target's accounts and data," Microsoft Threat Intelligence said in the blog post. "The actor can also use these phished authentication tokens to gain access to other services where the user has permissions, such as email or cloud storage, without needing a password."
Storm-2372 Intensifies the Phishing Campaign
The phishing attacks appear to have escalated. In an update to the post published on Friday, Microsoft warned that in the past 24 hours Storm-2372 had begun using the client ID for Microsoft Authentication Broker, which allows attackers to receive a refresh token. Threat actors can use the refresh token to request another authentication token that registers an actor-controlled device within Microsoft's Entra ID.
"With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization's resources," the update said. "We have observed Storm-2372 using the connected device to collect emails."
Microsoft Authentication Broker is a component of the Microsoft Authenticator applications. Cybersecurity Dive contacted Microsoft for comment but the company had not responded at press time.
Volexity observed similar threat activity in which suspected Russian threat actors were using the client IDs for both Microsoft Office and Microsoft Teams. In a blog post last week, the cybersecurity company said the most effective defense against device code phishing attacks is creating conditional access policies that completely prohibit device code authentication for an organization's Microsoft 365 tenant.
The device code techniques are particularly dangerous because the phishing emails don't carry malicious links or attachments and aren't easily identified by cybersecurity products, according to Volexity’s post. "Volexity's visibility into targeted attacks indicates this particular method has been far more effective than the combined effort of years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors," the blog post said.
