Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries.
Microsoft Threat Intelligence researchers warn that threat actor Storm-2372, likely linked to Russia, has been targeting governments, NGOs, and various industries across multiple regions since August 2024. The attackers employ a phishing technique called “device code phishing,” which tricks users into logging into productivity apps while capturing login tokens that can be used to take over compromised accounts.
“Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.” reads the report published by Microsoft Threat Intelligence. “Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.”
Device code phishing attacks exploit authentication flows to steal tokens, granting attackers access to accounts and data. Attackers can maintain persistent access while tokens remain valid.
Microsoft researchers spotted phishing messages posing as Microsoft Teams meeting invitations. Upon clicking the meeting invitation embedded in the message, recipients are prompted to authenticate using a threat actor-generated device code.
The attackers then receive the valid access token from the user and use it to steal the authenticated session.
“During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data.” continues the report. “The actor can also use these phished authentication tokens to gain access to other services where the user has permissions, such as email or cloud storage, without needing a password. The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.”
Once the attackers had compromised an account, they performed lateral movements by sending phishing emails and using Microsoft Graph to search and exfiltrate sensitive emails.
It is interesting to note that immediately after the publication of the report, Microsoft observed Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow.
The threat actor uses a client ID to register a device in Entra ID, obtain a Primary Refresh Token, access resources, and collect emails. Microsoft observed the attackers attempting to mask activity with regional proxies.
To mitigate these attacks, organizations are recommended to block device code flow wherever possible, enable MFA, and implement the principle of least privilege.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
