Security experts have warned that a cybercriminal group has been running a malicious and inventive phishing campaign since August 2024 to break into organizations across Europe, North America, Africa, and the Middle East.
The Russian group, known as Storm-2372, has targeted government and non-governmental organisations (NGOs), as well as firms working in IT, defence, telecoms, health, and the energy sector.
What makes the campaign particularly notable is the way that it attempts to lure unsuspecting victims through the use of device codes from WhatsApp and Microsoft Teams.
As explained on the Microsoft Security blog, victims are being duped into handing over authentication codes, allowing malicious hackers to access email archives and other sensitive information stored in the cloud.
Anyone who has ever tried to connect their smart TV to a streaming service in the past may remember how frustrating it can be to enter a password on a device that does not have a proper keyboard attached.
That’s why many services accessible via devices such as a TV now allow you to sign in to an application by entering a numeric or alphanumeric authentication code shown on your smartphone or computer device instead.
What Microsoft researchers warn is happening is that malicious hackers are abusing this device code authentication method by tricking users into entering those device codes on legitimate sign=in pages.
Your first indication that you are being targeted in such an attack could be a message via WhatsApp, Signal, or Microsoft Teams claiming to come from an individual “falsely posing as a prominent person relevant to the target.”
The messages attempt to gain the victim’s trust before sending you a spoof Microsoft Teams meeting invite via email.
Clicking on the link in the email does not take the victim to a phishing page, but instead to the legitimate Microsoft login page, where they are prompted to enter a device verification code (which the attackers previously requested the targeted service to generate).
When the targeted user enters the device code and authenticates themselves, the cybercriminals can gain their own access to their intended victim’s account – without needing to steal a password or multi-factor authentication code.
According to Microsoft, it has observed Storm-2373 using the specific client ID for Microsoft Authentication Broker in the attack process, ultimately using the connected devices to access email.
Microsoft is at pains to point out that this is not because of a flaw in its code, and that the problem does not only affect Microsoft products.
Researchers at security firm Volexity, who have also been tracking the phishing campaign, say that they have seen victims contacted via Signal from individuals purporting to be from the Ukrainian Ministry of Defence.
Other device authentication code attacks have been used in attacks targeting the US State Department, European Parliament, and a number of research organisations.
Microsoft advises that users should be educated about the techniques commonly used by cybercriminals in phishing attacks, and that sign-in dialogs should clearly indicate which application is being authenticated to.
In addition, it recommends that the device code flow should be blocked wherever it is not required.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
