Researchers at Microsoft have discovered a group that has been dubbed Storm-2372 using “device code phishing” that tricks users into logging into productivity apps that allows the hackers to capture information from the log in (tokens) in order to access compromised accounts. The researchers believe this group could be aligned with Russia’s interests and tradecraft:
Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“The best piece of advice I can give anyone to fight phishing of any type is this: If you receive an unexpected message, no matter where received (e.g., in-person, email, browser, social media, SMS, etc.) and it is asking you to do something you’ve never done before, research it outside of the information given in the message before performing. If more people followed this advice, there would be far less successful phishing. This applies to device code phishing.”
“Device code phishing attacks aren’t new, but the use by a possible nation-state aggressor does significantly increase the risk to those targeted victims. And let’s remember that today’s most likely targeted victim is a regular person or regular company. Nation-states no longer focus on traditional nation-state targets like government or military agencies or contractors.”
“One of the most concerning aspects of this attack is the ability for the attacker to get the victim’s primary refresh token, which is a Microsoft Azure-only specialized authentication access token, which allows the attacker to access any of the involved apps the victim is using. When a traditional browser access control token is stolen, it gives the attacker access to only the involved site/service/app that the token was generated by. But the primary refresh token can be used to access any app the victim has access too. Its power is exponential.”
These are the sorts of attacks that can be mitigated if not stopped if there is more user awareness and training. Therefore I challenge organizations to go out and invest in user training as well as performing simulated attacks to that users will be less of a risk to your organization.
Related
This entry was posted on February 18, 2025 at 1:40 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Tracks Storm-2372 Who Are Behind A Wave Of “Device Code Phishing” Attacks
Researchers at Microsoft have discovered a group that has been dubbed Storm-2372 using “device code phishing” that tricks users into logging into productivity apps that allows the hackers to capture information from the log in (tokens) in order to access compromised accounts. The researchers believe this group could be aligned with Russia’s interests and tradecraft:
Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented:
“The best piece of advice I can give anyone to fight phishing of any type is this: If you receive an unexpected message, no matter where received (e.g., in-person, email, browser, social media, SMS, etc.) and it is asking you to do something you’ve never done before, research it outside of the information given in the message before performing. If more people followed this advice, there would be far less successful phishing. This applies to device code phishing.”
“Device code phishing attacks aren’t new, but the use by a possible nation-state aggressor does significantly increase the risk to those targeted victims. And let’s remember that today’s most likely targeted victim is a regular person or regular company. Nation-states no longer focus on traditional nation-state targets like government or military agencies or contractors.”
“One of the most concerning aspects of this attack is the ability for the attacker to get the victim’s primary refresh token, which is a Microsoft Azure-only specialized authentication access token, which allows the attacker to access any of the involved apps the victim is using. When a traditional browser access control token is stolen, it gives the attacker access to only the involved site/service/app that the token was generated by. But the primary refresh token can be used to access any app the victim has access too. Its power is exponential.”
These are the sorts of attacks that can be mitigated if not stopped if there is more user awareness and training. Therefore I challenge organizations to go out and invest in user training as well as performing simulated attacks to that users will be less of a risk to your organization.
Share this:
Like this:
Related
This entry was posted on February 18, 2025 at 1:40 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.