Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass multi-factor authentication (MFA) and steal access tokens.
The report states that Storm-2372, which it links to Russia with ‘medium confidence’, has been conducting an active and successful device code phishing campaign since August 2024.
It has been observed targeting governments, NGOs, as well as organizations in the IT, defense, telecoms, health, energy, and education sector across multiple regions, Microsoft added.
The technique, device code phishing, takes advantage of an industry standard authentication practice for devices that cannot perform authentication using a web flow and must use another device to sign in.
Attackers first initiate the authentication flow by requesting a device code from the targeted service, and then send the code to the victim under the guise of an invite to a Teams meeting or a registration code, for example.
The target will go through their usual authentication process entering their username, password, and MFA credentials into the legitimate service portal, but once the service generates access the threat actor can recover the access token.
Cybersecurity company Volexity recently published a report stating it has observed multiple campaigns conducted by a number of Russian threat actors using the device code phishing technique.
It noted that because the attacks do not follow the typical phishing workflow that users may be aware of it is less likely to raise their suspicions, and as such are a particularly effective phishing technique.
“What Volexity has observed is that this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
Device code phishing could become new go-to for hackers
Security experts have warned that this tactic could become increasingly common amongst threat actors as it can get around additional security layers that prevent more rudimentary phishing attacks.
Speaking to ITPro, Amir Sadon, director of research at Sygnia, said that this approach is a relatively new technique that he expects to become more popular among more sophisticated groups due to its efficacy.
“Microsoft's latest blog on Storm-2372 highlights a rather new and highly creative MFA bypass technique known as device code phishing. Sygnia’s Incident Response teams have investigated multiple cases where attackers employed a variety of MFA bypass techniques, so we can only assume that new vectors such as device code phishing will be increasingly leveraged as a sophisticated method for account compromise.”
He noted that as protective measures like MFA become increasingly common, cyber criminals will have to adopt new tactics such as these to compromise accounts.
RELATED WHITEPAPER
“As awareness of traditional phishing improves and MFA adoption becomes widespread, attackers are shifting to more advanced social engineering tactics, including OAuth-based attacks that bypass MFA entirely.”
David Sancho, senior threat researcher at Trend Micro, told ITPro that this approach is becoming a new favourite amongst attackers, stating the most common variant of the attack recorded by Trend Micro uses QR codes to take advantage of lax mobile security.
“Device code phishing is becoming a common attack technique. The key to the attack is forcing a device switch to circumvent desktop defences. The most popular strategy we are seeing uses QR authentication codes,” he warned.
“These QR codes are supposed to work as a two-factor authentication method for a ‘document’ the attacker is sending to victims. Once the QR code is scanned with a phone, a phishing page is presented to the user with an Office365 authentication screen. This works because the attacker can pick up the corporate login of the employee without a URL filter. This is assuming the phone is not protected, which they usually aren’t.”
MORE FROM ITPRO
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Google is dropping SMS authentication for QR codesNews Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
