Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass multi-factor authentication (MFA) and steal access tokens.
The report states that Storm-2372, which it links to Russia with ‘medium confidence’, has been conducting an active and successful device code phishing campaign since August 2024.
It has been observed targeting governments, NGOs, as well as organizations in the IT, defense, telecoms, health, energy, and education sector across multiple regions, Microsoft added.
The technique, device code phishing, takes advantage of an industry standard authentication practice for devices that cannot perform authentication using a web flow and must use another device to sign in.
Attackers first initiate the authentication flow by requesting a device code from the targeted service, and then send the code to the victim under the guise of an invite to a Teams meeting or a registration code, for example.
The target will go through their usual authentication process entering their username, password, and MFA credentials into the legitimate service portal, but once the service generates access the threat actor can recover the access token.
Cybersecurity company Volexity recently published a report stating it has observed multiple campaigns conducted by a number of Russian threat actors using the device code phishing technique.
It noted that because the attacks do not follow the typical phishing workflow that users may be aware of it is less likely to raise their suspicions, and as such are a particularly effective phishing technique.
“What Volexity has observed is that this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
Device code phishing could become new go-to for hackers
Security experts have warned that this tactic could become increasingly common amongst threat actors as it can get around additional security layers that prevent more rudimentary phishing attacks.
Speaking to ITPro, Amir Sadon, director of research at Sygnia, said that this approach is a relatively new technique that he expects to become more popular among more sophisticated groups due to its efficacy.
“Microsoft's latest blog on Storm-2372 highlights a rather new and highly creative MFA bypass technique known as device code phishing. Sygnia’s Incident Response teams have investigated multiple cases where attackers employed a variety of MFA bypass techniques, so we can only assume that new vectors such as device code phishing will be increasingly leveraged as a sophisticated method for account compromise.”
He noted that as protective measures like MFA become increasingly common, cyber criminals will have to adopt new tactics such as these to compromise accounts.
RELATED WHITEPAPER
“As awareness of traditional phishing improves and MFA adoption becomes widespread, attackers are shifting to more advanced social engineering tactics, including OAuth-based attacks that bypass MFA entirely.”
David Sancho, senior threat researcher at Trend Micro, told ITPro that this approach is becoming a new favourite amongst attackers, stating the most common variant of the attack recorded by Trend Micro uses QR codes to take advantage of lax mobile security.
“Device code phishing is becoming a common attack technique. The key to the attack is forcing a device switch to circumvent desktop defences. The most popular strategy we are seeing uses QR authentication codes,” he warned.
“These QR codes are supposed to work as a two-factor authentication method for a ‘document’ the attacker is sending to victims. Once the QR code is scanned with a phone, a phishing page is presented to the user with an Office365 authentication screen. This works because the attacker can pick up the corporate login of the employee without a URL filter. This is assuming the phone is not protected, which they usually aren’t.”
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
