In a sophisticated cyberattack campaign, a threat actor identified as Storm-2372 has been leveraging Microsoft Teams meeting invites to execute “device code phishing” attacks.
This campaign, observed since August 2024, targets governments, NGOs, IT services, defense, telecommunications, health, education, and energy sectors across Europe, North America, Africa, and the Middle East.
Microsoft’s Threat Intelligence Center (MSTIC) assesses with medium confidence that Storm-2372 aligns with Russian interests and tradecraft.
How Device Code Phishing Works
Device code phishing exploits the OAuth 2.0 Device Authorization Grant flow (RFC 8628), a mechanism designed for input-constrained devices like IoT systems or smart TVs.
In legitimate scenarios, users authenticate by entering a device code on a separate device with better input capabilities. However, Storm-2372 manipulates this process to steal authentication tokens.
The attack begins with Storm-2372 generating a legitimate device code request through Microsoft’s API. The attackers then send phishing emails masquerading as Microsoft Teams meeting invitations.
These emails prompt recipients to authenticate using the provided device code on Microsoft’s legitimate login page.
Once the victim completes authentication, the attackers intercept the access and refresh tokens generated during the process.
These tokens allow persistent access to the victim’s accounts without requiring passwords or multi-factor authentication (MFA), as long as the tokens remain valid.
Technical Details of the Attack
Storm-2372 initiates contact through messaging apps like WhatsApp, Signal, or Microsoft Teams by impersonating prominent individuals relevant to their targets.
After building rapport, they send fake Teams meeting invites via email.
Subsequently, victims are tricked into entering an attacker-generated device code on a legitimate Microsoft sign-in page.
The attackers monitor the API for token generation and retrieve access tokens once authentication is complete.
Attackers use valid tokens to access Microsoft Graph API for data collection. They search emails for sensitive keywords like “password,” “admin,” or “credentials” and exfiltrate data.
“The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov”, Microsoft said.
Using compromised accounts, they send intra-organizational phishing emails to propagate further.
As of now, Storm-2372 has shifted tactics by using the client ID for Microsoft Authentication Broker in the device code flow.
This allows them to obtain Primary Refresh Tokens (PRTs) and register attacker-controlled devices in Entra ID environments, enabling long-term persistence.
Mitigation Strategies
Microsoft recommends several measures to defend against these attacks:
- Block this authentication method unless absolutely necessary.
- Train employees to recognize phishing attempts and verify application prompts during sign-ins.
- If suspicious activity is detected, revoke user refresh tokens using revokeSignInSessions.
- Enforce MFA and block risky sign-ins based on user behavior.
- Adopt methods like FIDO tokens or passkeys instead of SMS-based MFA.
- Integrate on-premises directories with cloud directories for streamlined monitoring and response.
Microsoft Defender for Office 365 provides alerts for phishing-related activities such as emails with traits consistent with phishing and malicious HTML files mimicking login pages.
Additionally, Entra ID Protection offers risk detection for anomalous behaviors like activity from anonymous IP addresses or unusual token usage patterns.
Organizations must adopt robust identity protection strategies and educate users to mitigate such threats effectively.