Microsoft: Phishing Attack on Accounts Using Device Code

Recently, FPT Threat Intelligent has detected several sophisticated phishing campaigns targeting Microsoft 365 accounts of individuals in key organizations. These attacks use device code phishing techniques, exploiting a legitimate feature to trick victims into providing device codes, thereby gaining access to emails and important data without needing the password.

Details

When users want to log into an app on a device and forget their password or fail to log in several times, they are directed to a device code authentication flow. This process requires users to enter a code on another device, like a phone or computer, that can type.

Hackers exploit this by contacting victims through messaging apps (such as WhatsApp, Signal, Microsoft Teams), pretending to be a trusted person and inviting them to a meeting or online transaction. In this invitation, the victim is given a device code—but this code is created by the hacker. When the victim enters this code on the legitimate login page (Microsoft 365 login page), the system verifies it and provides the victim with an access token (and refresh token) as if they had successfully logged in.

Since this authentication token is considered a "digital certificate" that allows account access, the hacker can then use it to access Microsoft services (like email, cloud storage) without needing a password—as long as the token remains valid.

How Device Code Authentication Works

Microsoft (and many other services) supports the Device Code Flow authentication method to help devices without a keyboard or browser log into accounts.

Legitimate Process:

1. User Initiates Login: When opening an app on a device without a keyboard, the device shows a device code and asks the user to enter this code on an official Microsoft website (e.g., https://microsoft.com/devicelogin).

   

2. User Enters Code on Another Device: The user uses a computer or phone with a browser to enter the code.

3. 

4. Microsoft verifies identity → If correct, the user's account is linked to the device, and the device is given an access token to use Microsoft services like email and OneDrive.

According to Microsoft's intelligence center, there have been many phishing campaigns recently, possibly by a Russian hacker group called 'Storm-237', targeting various organizations and businesses worldwide. Based on preferences, targeted victims, and transaction techniques, researchers can confirm that this activity is linked to a state-sponsored campaign aligned with Russian interests.

Devices with limited input—those without a keyboard or browser support, like smart TVs and some IoT devices—rely on the device code flow to let users log into an app by entering an authorization code on another device, such as a smartphone or computer.

Microsoft researchers have discovered that since last August, Storm-237 has exploited this authentication flow by tricking users into entering device codes created by attackers on legitimate login pages. They launch the attack after establishing a connection with the target by "impersonating a prominent person related to the target" through messaging platforms like WhatsApp, Signal, and Microsoft Teams.

The scam method used by Storm-2372 is to trick victims into entering device codes created by them on Microsoft's legitimate login page, allowing them to gain account access.

Storm-2372's attack method:

1. Building trust: Hackers impersonate a trusted person and contact victims through platforms like WhatsApp, Signal, and Teams.

2. 

3. Sending fake meeting invites: They send emails or messages with a Teams meeting invitation, including a device code they have created.

   

4. Victim enters the code on Microsoft's official page: Since Microsoft supports the Device Code Flow feature, the victim unsuspectingly enters the code at https://microsoft.com/devicelogin.

   

5. Hackers gain access: Because the hackers created the code beforehand, when the victim enters it, Microsoft grants them account access, allowing full control without further verification.

Why this phishing attack is sophisticated and hard to detect:

• No need to know the victim's password.

• Bypasses two-factor authentication (MFA) because the Device Code process doesn't always require it.

• Allows access to email, OneDrive, and Teams without raising suspicion.

• Can register the device with Microsoft Entra ID to maintain long-term access.

Recommendations

FPT Threat Intelligence recommends several measures to prevent phishing attacks by Storm-2372:

Check the configuration of applications and devices used for logging in, then adjust them to disable device code authentication if it's not necessary.

Apply Conditional Access policies in Microsoft Entra ID: Set up policies to clearly define the conditions under which users can log in, such as IP address, geographic location, and device status (registered and secure).

• Allow device code login only when the device or network conditions match a trusted list.

• Adjust configurations based on the organization's specific criteria to limit unauthorized access from unknown sources.

Use Microsoft's 'revokeSignInSessions' command to revoke all refresh tokens of suspected users.

• Revoking tokens forces users to log in again, ensuring that tokens no longer allow unauthorized access.

• Combine with Conditional Access policies to require users to re-authenticate on verified safe devices and networks.

Use Microsoft Entra ID login logs to monitor unusual activities:

• Track a large number of authentication attempts in a short period. If there are many consecutive login requests beyond the normal rate, it could indicate an automated attack (brute force).

• Monitor device code logins from unidentified IP addresses or those not part of the organization's trusted network.

• Check if there are multiple device code authentication requests sent to many users at once, as this could also indicate a large-scale attack.

References

1. Microsoft: Hackers steal emails in device code phishing attacks <https://www.bleepingcomputer.com/news/security/microsoft-hackers-steal-emails-in-device-code-phishing-attacks/ >

2. Storm-2372 conducts device code phishing campaign <https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/#Update-February-14\>