Hackers are using this new phishing technique to bypass MFA
A threat group linked to Russia has been observed orchestrating device code phishing attacks since August 2024
Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass multi-factor authentication (MFA) and steal access tokens.
The report states that Storm-2372, which it links to Russia with ‘medium confidence’, has been conducting an active and successful device code phishing campaign since August 2024.
It has been observed targeting governments, NGOs, as well as organizations in the IT, defense, telecoms, health, energy, and education sector across multiple regions, Microsoft added.
The technique, device code phishing, takes advantage of an industry standard authentication practice for devices that cannot perform authentication using a web flow and must use another device to sign in.
Attackers first initiate the authentication flow by requesting a device code from the targeted service, and then send the code to the victim under the guise of an invite to a Teams meeting or a registration code, for example.
The target will go through their usual authentication process entering their username, password, and MFA credentials into the legitimate service portal, but once the service generates access the threat actor can recover the access token.
Cybersecurity company Volexity recently published a report stating it has observed multiple campaigns conducted by a number of Russian threat actors using the device code phishing technique.
It noted that because the attacks do not follow the typical phishing workflow that users may be aware of it is less likely to raise their suspicions, and as such are a particularly effective phishing technique.
“What Volexity has observed is that this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
Device code phishing could become new go-to for hackers
Security experts have warned that this tactic could become increasingly common amongst threat actors as it can get around additional security layers that prevent more rudimentary phishing attacks.
Speaking to ITPro, Amir Sadon, director of research at Sygnia, said that this approach is a relatively new technique that he expects to become more popular among more sophisticated groups due to its efficacy.
“Microsoft's latest blog on Storm-2372 highlights a rather new and highly creative MFA bypass technique known as device code phishing. Sygnia’s Incident Response teams have investigated multiple cases where attackers employed a variety of MFA bypass techniques, so we can only assume that new vectors such as device code phishing will be increasingly leveraged as a sophisticated method for account compromise.”
He noted that as protective measures like MFA become increasingly common, cyber criminals will have to adopt new tactics such as these to compromise accounts.
RELATED WHITEPAPER
“As awareness of traditional phishing improves and MFA adoption becomes widespread, attackers are shifting to more advanced social engineering tactics, including OAuth-based attacks that bypass MFA entirely.”
David Sancho, senior threat researcher at Trend Micro, told ITPro that this approach is becoming a new favourite amongst attackers, stating the most common variant of the attack recorded by Trend Micro uses QR codes to take advantage of lax mobile security.
“Device code phishing is becoming a common attack technique. The key to the attack is forcing a device switch to circumvent desktop defences. The most popular strategy we are seeing uses QR authentication codes,” he warned.
“These QR codes are supposed to work as a two-factor authentication method for a ‘document’ the attacker is sending to victims. Once the QR code is scanned with a phone, a phishing page is presented to the user with an Office365 authentication screen. This works because the attacker can pick up the corporate login of the employee without a URL filter. This is assuming the phone is not protected, which they usually aren’t.”
MORE FROM ITPRO
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
LastPass issues alert as customers face second major phishing campaign of 2026News The campaign is the third to hit LastPass users in six months
