Microsoft Threat Intelligence Center researchers have uncovered a long-running campaign by Russian government hackers using sophisticated phishing techniques to steal Microsoft 365 accounts.
Microsoft Threat Intelligence Center researchers have uncovered a long-running campaign by Russian government hackers using sophisticated phishing techniques to steal Microsoft 365 accounts.
«The Microsoft Threat Intelligence Center has identified an active and successful device code phishing campaign conducted by attackers known as Storm-2372. Our investigation shows that this campaign has been active since August 2024, when the attacker created decoys that resembled messaging apps, including WhatsApp, Signal, and Microsoft Teams,» the researchers said in a statement.
They said Storm-2372 targets included government and non-government organizations, services and IT, defense, telecommunications, healthcare, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. Microsoft assesses with «medium confidence» that Storm-2372 aligns with Russian interests, victimology, and technology.
Hackers have been using device code phishing, Ars Technica reports. It exploits device code flow, a form of authentication formalized in the OAuth industry standard. Device code flow authentication is designed to register printers, smart TVs, and other similar devices with accounts. These devices typically don’t support browsers, making it difficult to log in using more standard forms of authentication, such as usernames, passwords, and two-factor authentication.
Instead of authenticating the user directly, the restricted device displays a letter or alphanumeric code for the device along with a link associated with the user’s account. The user opens the link on a computer or other device that makes it easier to log in and enters the code. The remote server then sends a token to the restricted device, which registers it with the account.
Device authorization occurs in two ways: one from an application or code running on a restricted device that requests permission to log in, and the other from the device’s browser that the user typically uses to log in to their account.
In advisories, both Volexity and Microsoft warn that threat actors working on behalf of the Russian government have been abusing this flow since at least August of last year to take over Microsoft 365 accounts. The attackers masquerade as trusted high-ranking officials and initiate conversations with targeted users on messengers such as Signal, WhatsApp, and Microsoft Teams.
Among the organizations they are impersonating are:
Once contact is established, attackers ask the user to join a Microsoft Teams meeting, grant access to apps and data as an external Microsoft 365 user, or join a chat in a secure app. The request includes a link and a passcode that the attacker generated using a device under their control.
When the victim clicks the link using a browser authorized to access their Microsoft 365 account and enters the code, the attacker’s device gains access that lasts as long as the authentication tokens remain valid.
The effectiveness of the attacks is largely a result of the ambiguity of the user interface of the device code authorization process. This means it is important for people to pay close attention to the links and the pages they lead to.
