Storm-2372 Launches Targeted Device Code Phishing Campaign

Summary

Microsoft published a blog revealing that it has identified cyberattacks attributed to a group named Storm-2372. Based on their analysis, they assess with medium confidence that this group is likely aligned with Russian interests and employs related tactics. These attacks, ongoing since August 2024, have targeted various governments, NGOs, and organizations across multiple sectors and regions.

The group is using a phishing method known as "device code phishing" to deceive users into logging into productivity apps. In the process, the Storm-2372 actors capture the login tokens, granting them unauthorized access to compromised accounts. While these phishing attempts utilize Microsoft and other applications as lures, it’s important to note that they do not exploit any specific vulnerabilities within Microsoft's code base, nor do they represent a flaw unique to their services.

Technical Details

Microsoft Threat Intelligence Center (MSTIC) recently uncovered an ongoing device code phishing campaign conducted by the threat actor Storm-2372. This campaign, active since August 2024, has targeted a wide array of sectors, including government, NGOs, IT, defense, telecommunications, healthcare, and energy industries across Europe, North America, Africa, and the Middle East.

Storm-2372’s phishing attempts mimic messaging apps like WhatsApp, Signal, and Microsoft Teams. The attackers exploit the device code authentication process to capture tokens, granting them unauthorized access to target accounts and the data or services associated with those accounts. This technique is particularly effective because the captured tokens can provide persistent access as long as they remain valid.

The specific phishing attack observed in this campaign involves fraudulent Microsoft Teams meeting invitations sent via email. When users click on the invitation, they are prompted to authenticate using a device code generated by the attackers. By interacting with the device code prompt, users inadvertently give the attackers access tokens, allowing them to hijack the authenticated session.

Microsoft assesses with medium confidence that Storm-2372 is aligned with Russian interests based on the victimology and tactics observed. As part of ongoing efforts, Microsoft shares information about these campaigns to raise awareness, provide detection insights, and offer mitigation guidance. This is aimed at helping organizations strengthen their defenses against this growing threat.

In response, Microsoft is tracking Storm-2372's activities closely and directly notifying affected customers, offering guidance on securing their environments. The company is also aware of other threat groups utilizing similar tactics, including those identified by Volexity.

Device code phishing

Device code phishing exploits the device code authentication process, which is commonly used to authenticate on devices that cannot easily complete an interactive sign-in process. Instead, a numeric or alphanumeric code is generated, which the user inputs on a separate device to authenticate their account

In this attack, threat actors generate a legitimate device code request and trick the target into entering it on a genuine sign-in page. Once the user enters the code, the attackers capture the resulting authentication tokens—both access and refresh tokens—which allow them to access the

victim's accounts and data. These tokens also provide access to other services that the user has permission for, such as email or cloud storage, without needing the user’s password. As long as the tokens remain valid, the attacker retains access to the compromised account and can potentially move laterally within the environment to target additional resources.

How the Phishing Attack Works

Storm-2372 has been running a device code phishing campaign since August 2024, initially targeting victims through third-party messaging platforms like WhatsApp, Signal, and Microsoft Teams. The group poses as a trusted figure to build rapport with the target before sending invitations to online events or meetings, which are delivered through phishing emails.

These invitations lead the target to a fake device code authentication page that mimics the login experience of legitimate messaging services. By entering the code provided by the attacker (which was included in the fake Teams meeting invitation), the victim unknowingly grants Storm-2372 access to their accounts. This enables the attacker to harvest sensitive data through Graph API, such as emails and other potentially valuable information.

After the victim enters the device code to authenticate, the attacker obtains a valid access token, which allows them to maintain a legitimate session. With this access, Storm-2372 can move laterally within the compromised network by sending additional phishing emails, using the victim's account to target other users within the same organization. These phishing emails contain links for device code authentication, further spreading the attack.

Furthermore, Microsoft has observed Storm-2372 utilizing Microsoft Graph to search the compromised account’s messages. The threat actor conducts keyword searches for terms like "username," "password," "admin," "teamviewer," "anydesk," "credentials," "secret," "ministry," and "gov." Based on these searches, they exfiltrate relevant emails containing sensitive information through Microsoft Graph.

Recommendations

● Allow device code flow only when necessary and configure it in Microsoft Entra ID’s Conditional Access policies.

● Teach users to recognize phishing attempts and ensure sign-in prompts clearly display the authenticated application.

● If Storm-2372 or similar phishing activity is suspected, revoke refresh tokens using revokeSignInSessions and force re-authentication through Conditional Access policies.

● Use sign-in risk policies in Conditional Access to block or enforce MFA based on the risk level of the authentication request.

● Regularly review Risky sign-in reports to identify suspicious access attempts. • Enforce multi-factor authentication (MFA) to block various threats, even if some attacks attempt to bypass it.

● Implement FIDO tokens or Microsoft Authenticator with passkeys. Avoid telephony-based MFA.

● Use Conditional Access to block legacy authentication methods that don’t support MFA.

● Integrate on-premises and cloud directories and centralize identity data for better monitoring and response.

● Apply least privilege principles and audit privileged account activity to prevent attacks.

Conclusion

Storm-2372's device code phishing campaign, active since August 2024, demonstrates the evolving sophistication of cyberattacks targeting various sectors globally. By exploiting the device code authentication process, the group gains unauthorized access to compromised accounts and sensitive data. This persistent access enables the attackers to move laterally within organizations and target additional resources. Microsoft continues to track these activities closely, providing detection insights and mitigation strategies to help organizations secure their environments. As the threat landscape evolves, organizations must strengthen their defenses by implementing multifactor authentication, educating users, and monitoring for suspicious activities.