Microsoft Threat Intelligence Center has reported a “device code phishing” attack targeting sectors such as technology, defense, telecommunications, health, education, government, NGOs, and energy in Africa, Europe, the Middle East, and North America.
The attack has been active since August 2024, with Microsoft having moderate confidence that it is affiliated with Russia.
The Russian-linked hacker group tracked as “Storm-2372” by Microsoft tricks users into logging into productivity apps, such as Microsoft Teams, to capture login tokens they can use later to access a compromised account.
“This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors,” Microsoft notes.
Once they access a victim’s account, they can make use of data and other services that the compromised account has access to.
Storm-2372 conducts the phishing campaign using third-party messaging services like WhatsApp, Signal, and Microsoft Teams.
They impersonate a well-known individual to gain the target’s trust before sending phishing emails that invite them to online events or meetings.
How does device code phishing work?
Device code authentication is a method used when you’re trying to sign in on a device that doesn’t have a keyboard or screen to easily enter a username and password, like on a smart TV or game console.
Instead of typing your login info on the device, you see a special code (a series of numbers or letters) on the screen.
You then go to a website on your phone or computer, type in that code, and confirm your identity to complete the sign-in process.
Now, device code phishing is when cybercriminals take advantage of this process. They trick you into entering the code on a fake website they control rather than the legitimate site.
Once you do this, the attackers can gain access to your account or device because they now have your code and possibly your login details.
They continue to have access to your account as long as the token remains valid.
What’s next?
Microsoft says they are investigating the attack further to identify the origin of the attack, as well as other hacker groups using such techniques.
In due time, the company assures the general public they will directly notify customers who have been compromised and provide them with vital measures to secure their environments.
About Author
