A hacking outfit potentially linked to Russia is running an active operation that uses device code phishing to target Microsoft 365 accounts of individuals at organisations of interest. The targets are in the government, non-governmental organisations (NGOs), IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
Microsoft Threat Intelligence Centre is tracking the threat actors behind the device code phishing effort as 'Storm-237'. Based on targets, victimology, and tradecraft, the researchers are confident that the activity is linked to a nation-state operation that serves Russia's interests.
Device code phishing assaults
Input-constrained devices, such as smart TVs and some IoTs, use a code authentication flow to allow users to sign into an app by typing an authorization code on a different device, such as a smartphone or computer.
Since last August, Microsoft researchers noticed that Storm-2372 has been exploiting this authentication flow by deceiving users into submitting attacker-generated device numbers on legitimate sign-in sites. The operatives launch the attack after "falsely posing as a prominent person relevant to the target" via messaging systems such as WhatsApp, Signal, and Microsoft Teams.
The malicious actor progressively builds rapport before sending a bogus online meeting invitation via email or messaging. According to the researchers, the victim receives a Teams meeting invitation including a device code generated by the attacker.
"The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting," Microsoft noted.
This allows the attackers to access the victim's Microsoft services (email, cloud storage) without requiring a password for as long as the stolen tokens are valid. However, Microsoft claims that the perpetrator is currently employing a specific client ID for Microsoft Authentication Broker during the device code sign-in flow, allowing them to issue fresh tokens.
This opens up new attack and persistence opportunities, as the threat actor can utilise the client ID to register devices with Entra ID, Microsoft's cloud-based identity and access management product.
"With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails," Microsoft added.