A sophisticated phishing campaign exploiting the device code authentication flow has been identified by Microsoft Threat Intelligence. The attack, attributed to the Storm-2372 threat actor group, has been ongoing since August 2024 and primarily targets a wide range of sectors, including government, NGOs, IT services, and critical industries like defense and energy. This group is believed to be linked to Russian state interests. The campaign leverages the OAuth 2.0 Device Authorization Grant flow, a legitimate protocol used to authenticate devices with limited input capabilities, such as smart TVs and IoT devices. The attackers manipulate this flow to gain unauthorized access to user accounts and sensitive data.
The attack begins when the threat actors generate legitimate device codes through APIs and use phishing tactics to lure victims. They send messages masquerading as trusted applications, like Microsoft Teams or WhatsApp, encouraging users to enter a device code on a sign-in page. Victims are then tricked into unknowingly providing their access tokens, which allow the attackers to bypass password and multi-factor authentication (MFA) protections.
This method enables attackers to gain lateral access within networks, where they can move freely and harvest sensitive data, credentials, and emails from compromised accounts.
Once the attackers have access to these tokens, they can carry out various malicious activities, including data exfiltration through platforms like Microsoft Graph API, harvesting login credentials, and sending phishing emails to further exploit the compromised network. Microsoft’s investigation showed that Storm-2372 specifically targeted credentials, administrative access, and government-related data. The threat group used keyword searches within the compromised accounts to gather information, which highlights the targeted and sophisticated nature of the campaign.
To mitigate the risks associated with device code phishing, organizations are advised to disable this authentication method unless absolutely necessary. Implementing conditional access policies that require MFA for suspicious sign-ins, educating employees about phishing risks, and regularly auditing and revoking compromised tokens are also critical defenses. Organizations are further encouraged to transition to phishing-resistant MFA methods, such as FIDO tokens or app-based passkeys, as the attack underscores the need for organizations to stay vigilant against evolving identity-based cyber threats.
