In a sophisticated cyberattack campaign, a suspicious actor called Storm-2372 has been abusing Microsoft Teams meeting invites to create ‘device code phishing’ scams.
This operation has been under observation since August 2024. It is targeting a wide range of potential victims including government agencies, NGOs, IT services providers, defense organizations, telecommunication companies, and hospitals.
Institutes of education, and energy companies throughout Europe, North America, Africa, and the Middle East are also affected by the cyberattack.
Device code phishing exploits the flow of the OAuth 2.0 Device Authorization Grant (RFC 8628). It is a mechanism that is meant for devices with limited input capabilities, such as IoT devices or smart TVs.
In a normal situation, a user would authenticate by entering a device code into a secondary device that would allow for better input options. In this case, Storm-2372 twists the entire process in order to steal authentication tokens.
The attack is initiated by Storm-2372 by making a legitimate device code request through the use of Microsoft’s API. Phishing emails were distributed under the guise of Microsoft Teams meeting invites.
Microsoft’s Threat Intelligence Center (MSTIC) believed with moderate confidence that Storm-2372 held allegiance to Russian interests and tactics.
These emails request the recipients to authenticate using the given device code on Microsoft’s official login page.
After the victim goes through the authentication process, the attackers receive the access and refresh tokens generated during this transaction. The firm proposed the following countermeasures to help prevent such attacks.
Users are suggested to restrict the authentication method in question, should they need to enable it. They are supposed to educate staff to recognize and report phishing attacks and application prompts during sign-in. Users are advised to enforce multi-factor authentication (MFA) and block risky sign-ins according to user behavior. Instead of SMS-based MFA, the use of alternatives like FIDO tokens or passkeys could be helpful.
Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment Policy.