According to Microsoft, a Russian-affiliated threat actor known as Storm-2372 has been utilizing device code phishing to compromise accounts by targeting both public and private entities worldwide.
Targeting NGOs across Africa, Europe, the Middle East, and North America as well as organizations in the government, IT, defense, telecom, health, education, and energy sectors, the effort has been going on since at least August 2024.
To authenticate an account from a device that is unable to perform interactive authentication, the device code authentication flow uses a numeric or alphanumeric code.
READ MORE: 52 Ukrainians Are Killed By A Russian Strike, One Of The Worst Attacks Of The War
The threat actor requests a device code from the targeted service and persuades the victim to enter it on a genuine sign-in page as part of a device code phishing assault. The attacker can then retrieve and misuse the access token that the targeted service generates to gain access to the target’s accounts and data.
With the tokens, the threat actor can move laterally and gain password-free access to cloud storage and email services that the victim is authorized to use.
According to Microsoft, “this attack technique could enable persistent access as long as the tokens remain valid, making this technique attractive to threat actors.”
In the course of the attacks, Storm-2372, a Russian state-sponsored threat actor identified by Microsoft, created phishing emails with phony invitations to Microsoft Teams meetings with the intention of stealing the victims’ authenticated sessions by tricking them into completing device code authentication requests.
READ MORE: A Russian Hacker Is Accused Of A $200 Million Ransomware Spree
Microsoft notes that “Storm-2372 probably used third-party messaging services like WhatsApp, Signal, and Microsoft Teams to target potential victims, assuming the identity of a well-known individual who was relevant to the target in order to establish rapport before sending subsequent invitations to online events or meetings via phishing emails.”
According to Microsoft, the threat actor would get access to the victim’s account and misuse it to send more device code phishing messages to other users inside the company after successfully gaining an authentication token.
Additionally, Storm-2372 was observed utilizing Microsoft Graph to look for emails “containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov” in the victims’ inboxes. Any emails that were discovered during these searches were then exfiltrated.
READ MORE: Brittney Griner Will Release A Memoir About Her Time In A Russian Prison
In order to gain a refresh token that they might use to obtain another token to register their own devices with Entra ID, the threat actor began utilizing the specific client ID for Microsoft Authentication Broker in the device code authentication flow on February 13.
Storm-2372 can acquire a Primary Refresh Token (PRT) and gain access to an organization’s resources by using the same refresh token and the new device identification. We have seen Storm-2372 gather emails using the linked gadget. In an effort to further hide the questionable sign-in behavior, the attacker has also been shown to employ proxies that are suitable for the targets’ area, according to Microsoft.
Since January 2025, assaults targeting the US State Department, Ukrainian Ministry of Defense, European Union Parliament, and numerous academic institutes have employed the device code phishing tactic, according to cybersecurity firm Volexity.
The assaults may have been carried out by a single threat actor, according to Volexity, which also detected three other Russia-affiliated threat actors using the technique: CozyLarch (previously tracked as APT29, Cozy Bear, and Midnight Blizzard), UTA0304, and UTA0307.
Step into the ultimate entertainment experience with Radiant TV! Movies, TV series, exclusive interviews, live events, music, and more—stream anytime, anywhere. Download now on various devices including iPhone, Android, smart TVs, Apple TV, Fire Stick, and more!
