Hackers Exploit Device Codes to Breach Microsoft Email Accounts

Introduction

A new and active cyberattack campaign has been uncovered, targeting Microsoft 365 accounts through device code phishing. This campaign, attributed to a threat actor potentially linked to Russia, is affecting high-profile individuals across multiple sectors, including government, NGOs, IT services, defense, telecommunications, healthcare, and energy industries in Europe, North America, Africa, and the Middle East.

The Microsoft Threat Intelligence Center (MSTIC) is tracking the group behind these attacks as 'Storm-2372.' Given their tradecraft, choice of victims, and operational patterns, Microsoft believes with medium confidence that these activities align with Russian state interests.

Understanding Device Code Phishing Attacks

Device code phishing attacks exploit a legitimate authentication mechanism designed for input-constrained devices, such as smart TVs and IoT devices that lack a keyboard or browser. These devices rely on a code-based authentication system, allowing users to sign into applications by entering a unique authorization code on a separate device, such as a smartphone or computer.

Microsoft researchers discovered that since August last year, Storm-2372 has been abusing this authentication flow. The attackers deceive users into entering attacker-generated codes on legitimate Microsoft sign-in pages, allowing them to hijack accounts without requiring a password.

1. Step-by-Step Breakdown of the Attack
2. Social Engineering & Impersonation
3. Fake Meeting Invitations
4. Exploitation of Device Code Authentication
5. Persistent Access and Data Harvesting
6. Expansion and Further Attacks

Implications of Device Code Phishing

Device code phishing presents a significant threat as it bypasses traditional credential-based authentication. By using legitimate Microsoft authentication flows, attackers can maintain access without triggering conventional security alerts.

Key concerns include:

• Government and Corporate Espionage – State-sponsored attackers can harvest sensitive data from government and corporate entities.
• Long-term Persistence – The ability to generate new authentication tokens allows for prolonged access.
• Minimal Detection – Since the attack relies on legitimate authentication mechanisms, many security tools may fail to detect the intrusion.
• Scalability of Attacks – This technique can be easily automated and deployed across multiple targets, increasing its effectiveness.

How to Defend Against Storm-2372’s Attacks

To mitigate the risk of device code phishing attacks, organizations should implement the following security measures:

1. Block Device Code Flow Where Possible

If device code authentication is unnecessary for business operations, organizations should disable it entirely.

This can be enforced using Microsoft Entra ID Conditional Access policies.

2. Restrict Device Code Authentication to Trusted Devices

Enforce Conditional Access policies that limit device code authentication to managed or trusted networks and devices.

This reduces the likelihood of attackers using unauthorized devices to access company resources.

3. Monitor for Suspicious Sign-Ins

Use Microsoft Entra ID’s sign-in logs to detect:

4. Revoke Refresh Tokens Immediately Upon Suspicion

If a phishing attempt is detected, immediately revoke refresh tokens using the revokeSignInSessions command.

This prevents attackers from continuing to use stolen tokens.

Additionally, set a Conditional Access policy to force re-authentication for affected users.

5. Strengthen Security Awareness Training

Educate employees about social engineering tactics used by threat actors like Storm-2372.

Train staff to verify the legitimacy of unexpected meeting invitations and authentication requests.

6. Enable Multi-Factor Authentication (MFA) on All Accounts

MFA adds an additional layer of security, making it harder for attackers to gain access even if they steal authentication tokens.

Consider implementing phishing-resistant MFA methods, such as security keys or certificate-based authentication.

7. Implement Device Registration Monitoring

Monitor and audit newly registered devices in Microsoft Entra ID.

If unauthorized devices are detected, immediately investigate and remove them from the organization’s access list.

The Future of Phishing Attacks

The rise of sophisticated phishing techniques, such as device code phishing, indicates an evolution in cyberattack strategies. Cybercriminals are increasingly shifting towards abusing legitimate authentication flows rather than traditional credential theft.

Security teams must adapt by implementing stronger authentication controls, continuous monitoring, and proactive defense mechanisms. The ability to detect and mitigate threats like Storm-2372 will play a crucial role in safeguarding sensitive information and maintaining organizational security.

Conclusion

The campaign by Storm-2372 is a clear demonstration of the dangers posed by device code phishing attacks. By exploiting legitimate authentication mechanisms, threat actors can gain unauthorized access to Microsoft 365 accounts without needing credentials. Organizations must take immediate steps to bolster their defenses by restricting device code authentication, monitoring suspicious sign-ins, enforcing MFA, and educating employees on phishing risks.

As cyber threats continue to evolve, maintaining vigilance and adopting proactive security measures will be critical in defending against state-sponsored cyberattacks and preventing data breaches in the digital era.