Russian-linked hackers using 'device code phishing' to hijack accounts: Microsoft

Microsoft has brought to light an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber-attacks, which is aimed at a variety of sectors since August 2024.

The attacks have targeted government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.

The threat actor has been observed targeting users via messaging apps like WhatsApp, Signal, and Microsoft Teams by falsely claiming to be a prominent person in an attempt to build trust.

"The attacks use a specific phishing technique called 'device code phishing' that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts," the Microsoft Threat Intelligence said in a new report.

The goal is to leverage the authentication codes obtained via the technique to access target accounts, and abuse that access to get hold of sensitive data and enable persistent access to the victim environment as long as the tokens remain valid.

According to the tech giant, the attack involves sending phishing emails that masquerade as Microsoft Teams meeting invitations. When clicked, these invites urge the message recipients to authenticate using a threat actor-generated device code, thereby allowing the adversary to hijack the authenticated session using the valid access token.

"During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page," Microsoft explained. "This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target's accounts and data."