Researchers from Microsoft have detected cyberattacks being launched by a group, called Storm-2372, which it assesses with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August last year and primarily targeted governments, NGOs, information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.
The researchers have observed Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow. “Using this client ID enables Storm-2372 to receive a refresh token that can be used to request another token for the device registration service, and then register an actor-controlled device within Entra ID. With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails,” they added.
Moreover, the hacker has also been observed to use proxies that are regionally appropriate for the targets, likely in an attempt to further conceal the suspicious sign-in activity.
Microsoft also detailed that in device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.
A device code authentication flow is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that cannot perform an interactive authentication using a web flow and thus must perform this authentication on another device to sign in. In device code phishing, threat actors exploit the device code authentication flow.
During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data. The actor can also use these phished authentication tokens to gain access to other services where the user has permission, such as email or cloud storage, without needing a password. The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.
“Storm-2372’s device code phishing campaign has been active since August 2024,” Microsoft disclosed. “Observed early activity indicates that Storm-2372 likely targeted potential victims using third-party messaging services including WhatsApp, Signal, and Microsoft Teams, falsely posing as a prominent person relevant to the target to develop rapport before sending subsequent invitations to online events or meetings via phishing emails.”
The post also noted that the invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting. “On the device code authentication page, the user is tricked into entering the code that the threat actor included as the ID for the fake Teams meeting invitation.”
Once the victim uses the device code to authenticate, the threat actor receives the valid access token. The threat actor then uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account.
“Additionally, Microsoft observed Storm-2372 using Microsoft Graph to search through messages of the account they’ve compromised,” teh researchers pointed out. “The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov. Microsoft then observed email exfiltration via Microsoft Graph of the emails found from these searches.”
With Microsoft identifying Storm-2372 as a suspected nation-state actor aligned with Russian interests, the researchers expect Storm-2372 to likely initially approach targets through third-party messaging services, posing as a prominent individual relevant to the target to develop rapport before sending invites to online events or meetings. These invites lure the user into device code authentication that grants initial access to Storm-2372 and enables Graph API data collection activities such as email harvesting.
Microsoft calls upon organizations to improve organizational defenses against phishing and other credential theft attacks by requiring multifactor authentication (MFA). While certain attacks such as device code phishing attempt to evade MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. They must also leverage phishing-resistant authentication methods and avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
Organizations can also centralize their identity management into a single platform. If the organization is a hybrid environment, integrate your on-premises directories with your cloud directories. If your organization is using a third party for identity management, ensure this data is being logged in a SIEM (Security Information and Event Management) or connected to Microsoft Entra to fully monitor for malicious identity access from a centralized location.
Added benefits to centralizing identity data are to facilitate the implementation of Single Sign On (SSO) and provide users with a more seamless authentication process, as well as configure Entra ID’s machine learning models to operate on identity data, thus learning the difference between legitimate access and malicious access quicker and easier. It is recommended to synchronize user accounts except for administrative and high-privileged ones when doing this to maintain a boundary between the on-premises environment and the cloud environment, in case of a breach.
They must also secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity to slow and stop attackers.
