A Russian-linked attack group have targeted governments, NGOs, and a wide range of industries in multiple regions since last August.

According to research by Microsoft into a group named Storm-2372, whom targeted potential victims by falsely posing as a prominent person relevant to the target, sending invitations to online events or meetings via phishing emails. This was commonly done using third-party messaging services including WhatsApp, Signal, and Microsoft Teams.

Specifically, the attacks use a phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts.

Device Code Phishing

Specifically, Microsoft explained that a device code authentication flow is a numeric or alphanumeric code used to authenticate an account from an input-constrained device that does not have the ability to perform an interactive authentication using a web flow and thus must perform this authentication on another device to sign-in.

In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens. They then use the device code to access target accounts, and further gain access to data and other services that the compromised account has access to.

During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data.

The actor can also use these phished authentication tokens to gain access to other services where the user has permissions, such as email or cloud storage, without needing a password. The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.

Once the victim uses the device code to authenticate, the threat actor receives the valid access token. The threat actor then uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account.

Microsoft pointed out that this tactic does “not reflect an attack unique to Microsoft, nor have we found any vulnerabilities in our code base enabling this activity.”

Human Vigilance

Commenting, Mike Britton, CIO at Abnormal Security, said that for users, defending against these kinds of attacks requires human vigilance: “To protect yourself from device code phishing attacks, always question unexpected login requests or meeting invites,” he said. “This can be done by verifying through a different channel before acting. Never enter a device code from an email or share it with anyone. Legitimate services won’t ask for this unless you initiated the process.”

He also recommended organisations can reduce risk by disabling or restricting device code sign-ins if not needed, and if allowed, use Conditional Access policies to limit where and when they work.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.