Hackers are using this new phishing technique to bypass MFA
A threat group linked to Russia has been observed orchestrating device code phishing attacks since August 2024
Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass multi-factor authentication (MFA) and steal access tokens.
The report states that Storm-2372, which it links to Russia with ‘medium confidence’, has been conducting an active and successful device code phishing campaign since August 2024.
It has been observed targeting governments, NGOs, as well as organizations in the IT, defense, telecoms, health, energy, and education sector across multiple regions, Microsoft added.
The technique, device code phishing, takes advantage of an industry standard authentication practice for devices that cannot perform authentication using a web flow and must use another device to sign in.
Attackers first initiate the authentication flow by requesting a device code from the targeted service, and then send the code to the victim under the guise of an invite to a Teams meeting or a registration code, for example.
The target will go through their usual authentication process entering their username, password, and MFA credentials into the legitimate service portal, but once the service generates access the threat actor can recover the access token.
Cybersecurity company Volexity recently published a report stating it has observed multiple campaigns conducted by a number of Russian threat actors using the device code phishing technique.
It noted that because the attacks do not follow the typical phishing workflow that users may be aware of it is less likely to raise their suspicions, and as such are a particularly effective phishing technique.
“What Volexity has observed is that this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
Device code phishing could become new go-to for hackers
Security experts have warned that this tactic could become increasingly common amongst threat actors as it can get around additional security layers that prevent more rudimentary phishing attacks.
Speaking to ITPro, Amir Sadon, director of research at Sygnia, said that this approach is a relatively new technique that he expects to become more popular among more sophisticated groups due to its efficacy.
“Microsoft's latest blog on Storm-2372 highlights a rather new and highly creative MFA bypass technique known as device code phishing. Sygnia’s Incident Response teams have investigated multiple cases where attackers employed a variety of MFA bypass techniques, so we can only assume that new vectors such as device code phishing will be increasingly leveraged as a sophisticated method for account compromise.”
He noted that as protective measures like MFA become increasingly common, cyber criminals will have to adopt new tactics such as these to compromise accounts.
RELATED WHITEPAPER
“As awareness of traditional phishing improves and MFA adoption becomes widespread, attackers are shifting to more advanced social engineering tactics, including OAuth-based attacks that bypass MFA entirely.”
David Sancho, senior threat researcher at Trend Micro, told ITPro that this approach is becoming a new favourite amongst attackers, stating the most common variant of the attack recorded by Trend Micro uses QR codes to take advantage of lax mobile security.
“Device code phishing is becoming a common attack technique. The key to the attack is forcing a device switch to circumvent desktop defences. The most popular strategy we are seeing uses QR authentication codes,” he warned.
“These QR codes are supposed to work as a two-factor authentication method for a ‘document’ the attacker is sending to victims. Once the QR code is scanned with a phone, a phishing page is presented to the user with an Office365 authentication screen. This works because the attacker can pick up the corporate login of the employee without a URL filter. This is assuming the phone is not protected, which they usually aren’t.”
MORE FROM ITPRO
-
DigiCert continues EMEA partner focus with latest appointmentNews The channel veteran will lead the digital trust vendor’s EMEA partner strategy as it targets deepen partner connections and new growth
-
Microsoft patches six zero-days targeting Windows, Word, and moreNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to know
News Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsersNews Defenders advised to use runtime behavioral analysis to detect and block malicious activity at the point of execution, directly within the browser
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sector
News The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacks
News Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
