Russian-Linked Actors Target Accounts With Device Code Phishing Tactic

Security researchers with Microsoft are warning of a phishing campaign that has been ongoing since August 2024, where Russian-linked threat actors exploit victims’ device code authentication flows in order to access their accounts.

Key Details:

• The campaign has a social engineering component, where threat actors initially approach targets through third-party messaging services (like Signal) and pretend to be a prominent individual in an effort to develop a connection with them

• The threat actors ask targets about their experiences with WhatsApp, Signal and Microsoft Teams messaging app services, and then send them an invite to an online event or meeting, with a registration link and “Security ID”

• According to Microsoft, “the invitations lure the user into completing a device code authentication request emulating the experience of the messaging service… on the device code authentication page, the user is tricked into entering the code that the threat actor included as the ID for the fake Teams meeting invitation”

• After account compromise, threat actors in this specific campaign are trying to use Microsoft Graph to search through messages in the compromised account, including terms related to “password,” “admin,” “credentials,” “secret,” “ministry” and “gov”

The Background: Microsoft categorizes the emerging threat group behind the campaign as Storm-2372, which is a suspected nation-state actor “working toward Russian state interests.” The group’s targets include government, NGOs, IT services and technology, defense, telecommunications, health, higher education and energy/oil and gas in Europe, North America, Africa and the Middle East, according to Microsoft.

Why It Matters: In recent months, researchers have observed more threat actors leveraging device code phishing to bypass processes like device code authentication flows. The method is popular because it helps them gain persistent access for as long as the token is valid, said Microsoft threat researchers.

Organizations can mitigate against this type of attack by only allowing device code flow where necessary, and Microsoft recommended blocking device code flow wherever possible. 

The Big Picture: Researchers beyond Microsoft have reported seeing threat actors conducting these types of attacks, which leverage social engineering and device code phishing to compromise targets, including those using Microsoft 365. Volexity researchers on Thursday said they have seen a number of campaigns from multiple Russian threat actors since mid-January, which impersonated individuals from the U.S. Statement Department, European Union Parliament or Ukrainian Ministry of Defense, and successfully accessed victim accounts.