MS 365 accounts targeted by a device code phishing operation

A suspected Russian-linked threat actor has an ongoing cybercriminal operation that utilises device code phishing to target MS 365 accounts in targeted companies.

Based on reports, the malicious activity primarily targets entities in the government, NGOs, IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors. Moreover, these targeted institutions are commonly based in Europe, North America, Africa, and the Middle East.

The researchers who track the threat actors behind this new campaign claim that the attackers are members of Storm-237.

Based on interests, victimology, and tradecraft, the researchers are confident that the activity is linked to this nation-state operation and is aligned with Russian interests.

 

The device code phishing attacks could target users who use various devices.

 

The device code phishing attacks commonly include input-constrained devices, such as smart TVs and some IoTs, which use a code authentication flow to allow users to sign into an app by typing an authorisation code on a separate device, such as a smartphone or computer.

Since August last year, Microsoft researchers have noticed that Storm-2372 has abused this authentication flow by tricking users into providing attacker-generated device numbers on legitimate sign-in sites.

Moreover, the threat actors launch the attack after falsely posing as a prominent person relevant to the target via messaging platforms such as WhatsApp, Signal, and Microsoft Teams.

The attack process also includes threat actors who progressively build rapport before sending a bogus online meeting invitation via email or messaging. According to the researchers, the victim received a Teams meeting invitation in one instance that included a device code generated by the attacker.

Furthermore, the invitations entice users to complete a device code authentication request that simulates the messaging service’s experience, which grants Storm-2372 initial access to victim accounts and enables Graph API data collection operations.

This tactic also allows the hackers to access the victim’s Microsoft services without requiring a password for as long as the stolen tokens are valid. However, the company claims the attacker now uses a specific client ID for Microsoft Authentication Broker during the device code sign-in flow, allowing them to issue fresh tokens.

This activity could breed new attacks and persistence opportunities for other illegal activities, as the threat actor can utilise the client ID to register devices with Entra ID, Microsoft’s cloud-based identity and access management product.

Therefore, users should be careful of these new phishing activities to avoid falling victim to such attacks.