Microsoft is calling attention to an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber attacks aimed at a variety of sectors since August 2024.
The attacks have targeted government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
The threat actor, assessed with medium confidence to be aligned with Russian interests, victimology, and tradecraft, has been observed targeting users via messaging apps like WhatsApp, Signal, and Microsoft Teams by falsely claiming to be a prominent person relevant to the target in an attempt to build trust.
“The attacks use a specific phishing technique called ‘device code phishing’ that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts,” the Microsoft Threat Intelligence said in a new report.
The goal is to leverage the authentication codes obtained via the technique to access target accounts, and abuse that access to get hold of sensitive data and enable persistent access to the victim environment as long as the tokens remain valid.
The tech giant said the attack involves sending phishing emails that masquerade as Microsoft Teams meeting invitations that, when clicked, urge the message recipients to authenticate using a threat actor-generated device code, thereby allowing the adversary to hijack the authenticated session using the valid access token.
“During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page,” Microsoft explained. “This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data.”
The phished authentication tokens can then be used to gain access to other services that the user already has permissions to, such as email or cloud storage, without the need for a password.
Microsoft said the valid session is used to move laterally within the network by sending similar phishing intra-organizational messages to other users from the compromised account. Furthermore, the Microsoft Graph service is used to search through messages of the breached account.
“The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov,” Redmond said, adding the emails matching these filter criteria were then exfiltrated to the threat actor.
To mitigate the risk posed by such attacks, organizations are recommended to block device code flow wherever possible, enable phishing-resistant multi-factor authentication (MFA), and follow the principle of least privilege.
