A sophisticated phishing campaign leveraging the OAuth2 device code authentication flow has been identified by Microsoft Threat Intelligence.
Tracked as “Storm-2372,” this threat actor, suspected to align with Russian state interests, has been targeting governments, NGOs, and industries across Europe, North America, Africa, and the Middle East since August 2024.
The attack exploits the device code flow a legitimate mechanism designed for input-constrained devices to hijack authentication tokens and gain unauthorized access to user accounts.
How Device Code Phishing Works
The device code flow is an authentication method for devices with limited input capabilities, such as smart TVs or IoT devices.
It allows users to authenticate by entering a code on a secondary device with a full interface. However, attackers have weaponized this process.
In a typical attack:
- The attacker generates a legitimate device code via the identity provider’s API.
- A phishing email lures victims to enter this code on a legitimate login page.
- Once authenticated, the attacker retrieves the victim’s access and refresh tokens from the API.
These tokens grant attackers access to services like email, cloud storage, and internal applications without requiring further credentials or multi-factor authentication (MFA).
As long as these tokens remain valid up to 90 days in some cases the attacker can maintain persistent access.
Storm-2372’s Tactics and Post-Compromise Actions
Storm-2372 employs social engineering techniques to deliver phishing lures resembling Microsoft Teams or messaging apps like WhatsApp and Signal.
These lures often mimic meeting invitations or messages from trusted individuals. Upon successful compromise, attackers use stolen tokens to:
- Access sensitive data via Microsoft Graph APIs.
- Harvest emails containing keywords like “password,” “admin,” or “credentials.”
- Move laterally within organizations by sending phishing emails from compromised accounts.
This campaign demonstrates advanced tradecraft, including keyword searches in victim accounts and exfiltration of sensitive information.
To defend against device code phishing attacks:
- Restrict Device Code Flow: Disable this feature where unnecessary or configure Conditional Access policies in Microsoft Entra ID.
- Educate Users: Train employees to recognize phishing attempts and verify unexpected authentication requests.
- Enforce MFA: While attackers attempt to bypass MFA, its implementation remains critical for identity security.
- Monitor Risky Sign-ins: Leverage tools like Microsoft Entra ID Protection to detect unusual login behaviors.
- Revoke Compromised Tokens: If suspicious activity is identified, immediately revoke refresh tokens to terminate unauthorized sessions.
- Adopt Phishing-resistant Authentication: Use methods like FIDO tokens or passkeys instead of telephony-based MFA.
The Storm-2372 campaign underscores the evolving tactics of cyber adversaries exploiting niche authentication flows like device codes.
Organizations must adopt robust security measures and educate users to mitigate such threats effectively.
Microsoft continues to monitor this activity and provide guidance to affected customers.
