Microsoft has warned of a sustained cyberattack campaign by a group known as Storm-2372, believed to be linked to Russian interests. Active since August 2024, this campaign primarily targets Microsoft 365 accounts using a method called device code phishing, allowing attackers to gain access without needing a password.
Storm-2372 initially targets victims via third-party messaging platforms like WhatsApp, Signal, and Microsoft Teams. The attackers impersonate trusted individuals, build a rapport with their targets and send fake invitations to online meetings. These invitations contain a device code that, when entered by the victim, grants attackers access to the Microsoft 365 account. Once the device code is entered, the attacker intercepts the authentication token, enabling access to the victim’s Microsoft services, including email and cloud storage. While this attack specifically targets Microsoft apps, the technique is not exclusive to them, as other apps also use device code authentication.
Storm-2372 exploits Microsoft Authentication Broker for persistent access
Device code authentication is typically used for devices without browsers. In Storm-2372’s attack, the victim enters a code displayed on a separate device, which leads to the capture of the authentication token by the attacker.
On February 14, Microsoft observed a shift in the tactics of Storm-2372. The attackers began using the specific client ID associated with Microsoft Authentication Broker, enabling them to obtain a refresh token. This token can be used to request additional tokens and register an actor-controlled device within Microsoft’s Entra ID, the company’s cloud-based identity and access management system. With this method, Storm-2372 can maintain access to an organisation’s resources, including email data, for a longer period.
Microsoft researchers noted that Storm-2372 uses the Graph API to search through compromised accounts for sensitive information, including usernames, passwords, and credentials. Once they find valuable data, they exfiltrate it. The attackers also use proxies, often matching the victim’s location, to conceal their activities. The group has been observed moving laterally within compromised networks by sending phishing messages to other users within the organisation. This increases the impact of the attack, potentially compromising more accounts.
Storm-2372 has targeted a wide range of industries, including government, NGOs, IT services, telecommunications, defence, healthcare, and energy. These attacks have spanned Europe, North America, Africa, and the Middle East. Microsoft’s analysis suggests the group aligns with Russian state interests, although the exact identity of the actors remains unclear.
To protect against Storm-2372 and similar threats, Microsoft advises blocking device code authentication wherever possible. When it must be used, organisations should restrict it to trusted devices and networks through Microsoft Entra ID’s Conditional Access policies. Other key recommendations include educating users about phishing techniques, implementing multi-factor authentication (MFA), and using phishing-resistant authentication methods like FIDO Tokens or Microsoft Authenticator. Organisations should also monitor sign-in risk reports and revoke refresh tokens when suspicious activity is detected.
Read more: Microsoft takes legal action against cybercriminals exploiting Azure AI
