Cyber security news for all

More

    Microsoft Warns of Russian-Backed Cyber Offensive Exploiting ‘Device Code Phishing’ to Seize Control of Accounts

    Microsoft has sounded the alarm on a nascent cyber threat collective, dubbed Storm-2372, which has orchestrated a fresh wave of digital incursions since August 2024. These campaigns have been meticulously crafted to infiltrate an array of sectors, spanning **governmental bodies, NGOs, IT enterprises, defense infrastructure, telecommunications, healthcare, academia, and the energy sector—including oil and gas—**across Europe, North America, Africa, and the Middle East.

    Cybersecurity analysts, with moderate confidence, correlate Storm-2372’s modus operandi, victim selection, and attack methodologies to Russian-aligned interests. The perpetrators have been observed leveraging widely used messaging platforms—WhatsApp, Signal, and Microsoft Teams—where they impersonate influential figures relevant to their targets. This social engineering tactic fosters a deceptive sense of credibility, laying the groundwork for their ultimate objective: illicit access.

    At the core of these operations lies an insidious phishing stratagem known as “device code phishing.” This technique manipulates victims into unknowingly authenticating on productivity applications, allowing adversaries to intercept session credentials—access tokens—that grant persistent control over compromised accounts.

    How the Attack Works

    The orchestrated attack unfolds in staged maneuvers:

    1. Phishing Emails as Trojan Horses
      The attackers distribute fraudulent invitations mimicking Microsoft Teams meeting requests. These deceptive messages coax unsuspecting recipients into initiating an authentication process, using an attacker-generated device code.

    2. Legitimate Sign-in Portals as Weapons
      Victims, believing the request to be genuine, input the device code on an actual Microsoft authentication page. This action inadvertently bestows Storm-2372 with valid access and refresh tokens, effectively hijacking the session.

    3. Unhindered Account Exploitation
      Once in possession of these tokens, attackers circumvent traditional credential-based authentication, gaining access to emails, cloud storage, and any linked enterprise services without requiring a password.

    4. Internal Lateral Movement
      The adversaries exploit the compromised account to propagate phishing attempts within the organization—sending deceptive messages to colleagues from the breached user’s inbox, thereby expanding their foothold.

    5. Exfiltration via Microsoft Graph API
      To streamline reconnaissance, Storm-2372 utilizes the Microsoft Graph API to sift through messages of the infiltrated account. Keyword searches for terms like username, password, admin, credentials, secret, ministry, gov, teamviewer, and anydesk help them locate sensitive data, which is then clandestinely siphoned off.

    Defensive Countermeasures

    To mitigate the perils posed by device code phishing, Microsoft urges organizations to implement the following safeguards:

    • Disable Device Code Flow wherever feasible to eliminate this attack vector.
    • Enforce phishing-resistant Multi-Factor Authentication (MFA) to thwart unauthorized access.
    • Apply the Principle of Least Privilege, ensuring users only retain permissions essential to their roles, minimizing exposure.

    Cybercriminals are continuously refining their methodologies, and Storm-2372’s latest campaign underscores the evolving nature of digital threats. Organizations must remain proactive, not reactive, in fortifying their cybersecurity frameworks to neutralize emerging attack vectors before they escalate into full-scale breaches.

    Recent Articles

    Related Stories