Full Report
Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens. The post Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Storm-2372
## Attribution & Identity
Suspected Russia-aligned nation-state threat group. Microsoft has a medium-level of confidence that the threat group aligns with Russia's interests. The actor is tracked by Microsoft using the temporary designation Storm-2372.
## Activity Summary
Storm-2372 has been conducting "device code" phishing attacks since at least August 2024. These attacks aim to dupe victims into granting persistent access via valid authentication requests and tokens. The group has successfully gained initial access, captured authentication tokens, and used them for lateral movement and data theft. They have also engaged in forwarding phishing campaigns from compromised accounts to other users within the organization.
## Tactics, Techniques & Procedures
- **Initial Access/Phishing:** Using convincing lures delivered via messaging apps (Microsoft Teams, WhatsApp, Signal) posing as someone of importance to build rapport.
- **Authentication Phishing:** Disguising phishing emails as Microsoft Teams meeting invitations. The fake meeting ID contained the device code required for authentication.
- **Exploitation of Device Code Flow:** Duping users into inputting generated legitimate device codes into malicious login pages to gain initial access via generated valid tokens.
- **Lateral Movement:** Utilizing captured, valid authentication tokens for movement within the compromised network.
- **Credential/Data Scraping:** Using **Microsoft Graph** to search for emails containing sensitive keywords such as `username`, `password`, `admin`, `teamviewer`, `anydesk`, `credentials`, `secret`, `ministry`, and `gov`.
- **Exfiltration:** Exfiltrating scraped emails via Microsoft Graph.
- **Persistence:** Maintaining access as long as captured tokens remain valid, potentially leading to persistent access.
## Targeting
- **Sectors:** Critical infrastructure organizations, governments, IT services, telecom, health, higher education, and energy sectors.
- **Geography:** Europe, North America, Africa, and the Middle East.
- **Victims:** Organizations operating in the sectors listed above. (Specific organization names were not detailed but Microsoft itself was confirmed not affected).
## Tools & Infrastructure
- **Malware Families Used:** None explicitly named, but the primary mechanism involves social engineering combined with exploiting the legitimate Microsoft device code authentication flow.
- **Infrastructure:** Attack infrastructure centered around generating legitimate device codes and sending phishing lures via common communication platforms (Microsoft Teams, WhatsApp, Signal).
## Implications
This campaign leverages legitimate Microsoft authentication workflows (device code) in a highly effective and novel social engineering scheme, allowing the actor to bypass traditional perimeter defenses and gain persistent, token-based access. Success in these attacks grants deep access that facilitates lateral movement and sensitive data exfiltration using native cloud APIs (Microsoft Graph). The targeting spans critical national infrastructure sectors globally.
## Mitigations
- **User Education:** Heightened awareness training focusing specifically on recognizing suspicious Microsoft Teams meeting invitations containing embedded codes and validating device code authentication requests independently of the lure link/message.
- **MFA Enforcement/Monitoring:** Strong monitoring and alerting on suspicious device code registrations, especially those initiated from unexpected locations or contexts.
- **API Monitoring:** Enhanced auditing of Microsoft Graph API calls, especially searches utilizing high-value keywords mentioned (credentials, admin, password, etc.) followed immediately by large-scale email exfiltration.
- **Token Management:** Reviewing policies related to the validity and scope of authentication tokens granted via device code flows to limit persistent access potential.