Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts

Microsoft threat researchers discovered a series of what they are calling “device code” phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in research released Thursday.

The group, which Microsoft tracks as Storm-2372, has targeted governments, IT services and organizations operating in the telecom, health, higher education and energy sectors across Europe, North America, Africa and the Middle East.

Microsoft observed attackers generating a legitimate device code sign-in request and then duping targeted users to input the code into a login page for productivity apps. By exploiting the device code authentication flow, Storm-2372 has gained access to targeted systems, captured authentication tokens and used those valid tokens to achieve lateral movement and steal data.

“They’ve been successful in these attacks, though Microsoft itself is not affected,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a video summarizing the report’s findings.

Microsoft declined to answer questions about the threat intelligence and did not say how many accounts or organizations have been impacted by the campaign, which started in August 2024.

Storm-2372 likely set phishing lures by targeting potential victims via messaging apps, such as Microsoft Teams, WhatsApp and Signal. Microsoft observed attackers posing as a person of importance to develop false rapport with targets before sending follow-up phishing emails disguised as Microsoft Teams meeting invitations.

The fake Teams meeting invitations have tricked targets to complete a device code authentication request with the code Storm-2372 included as the phony meeting ID. According to Microsoft, this attack chain has allowed Storm-2372 to gain initial access to victim accounts, enabling attackers to use the valid session for lateral movement within the compromised network.

Researchers observed attackers sending intra-organizational phishing emails with device code authentication requests from the compromised account to other users, furthering the scope of access across the network. 

The suspected Russian nation-state threat group also used Microsoft Graph to scrape emails and search for messages containing keywords, including username, password, admin, teamviewer, anydesk, credentials, secret, ministry and gov. “Microsoft then observed email exfiltration via Microsoft Graph of the emails found from these searches,” the report said.

Microsoft said Storm-2372’s techniques could enable persistent access as long as the tokens remain valid. 

The Storm taxonomy is a temporary designation Microsoft attributes to unknown or emerging clusters of threat activity. Microsoft Threat Intelligence Center has a medium-level of confidence that Storm-2372 aligns with Russia’s interests.

Storm-2372’s activities overlap with other threat groups using similar techniques but appear to be distinct from those groups. In late January, Volexity researchers spotted a trio of Russian nation-state threat groups using device code phishing attacks to gain access to highly targeted Microsoft 365 accounts. 

Volexity observed unique post-exploitation activities across these attacks, but all of the compromises were linked to device code authentication phishing lures, the threat intelligence company said in research released Thursday.

Volexity attributes with medium confidence one of the Russia-based threat group’s activities to Midnight Blizzard, a group it tracks as CozyLarch. Researchers acknowledge the activity could all be attributed to the same threat group, but due to variances in operations they are tracking the other clusters of activity as UTA0304 and UTA0307.

In one highly targeted attack on a Volexity customer, an attacker claiming to be a high-ranking official from the Ministry of Defense of Ukraine contacted the victim on Signal and then sent an email designed to look like an invite for a chat on the messaging app Element.

Volexity researchers determined the attacker then duped the victim into clicking a link in an email feigned to be an invite for a secure chat room, but instead it prompted the victim to generate a device code that provided the attacker access to the victim’s account.