Microsoft revealed an ongoing spear-phishing campaign that abuses the legitimate device code authentication flow to gain access to Microsoft 365 accounts.Device code authentication is used to access Microsoft 365 services from “input-constrained devices” such as printers, smart TVs, game consoles and other internet-of-things (IoT) devices that do not have a web browser.Microsoft said in a blog post Thursday that a suspected Russia-linked threat actor tracked as Storm-2372 has been conducting a campaign since August 2024 that tricks users into completing a device code authentication flow for an attacker-controlled device under the guise of an invite to an online event, virtual meeting or secure chat.The attacker generates a legitimate device code from their device and sends it to the victim, who enters it into a legitimate authentication page, believing they are entering an ID to access the supposed meeting or chatroom. The attacker directs the victim to this page by creating emails or web pages designed to mimic invites from legitimate services like Microsoft Teams.Once the device authentication flow is completed, the attacker can leverage the access token granted to their device to exfiltrate sensitive information from the victim’s Microsoft 365 services, as well as spread additional phishing messages through the victim’s organization from their compromised account.Microsoft reported that Storm-2372 has used Microsoft Graph to search compromised accounts for messages including keywords such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry and gov. These messages were then exfiltrated over email via Microsoft Graph, according to Microsoft.Storm-2372 sends spear-phishing messages and emails for this campaign to targets in government, non-governmental organizations (NGOs), information technology (IT) services and critical infrastructure sectors such as telecommunications, health, education and energy in North America, Europe, Africa and the Middle East.Volexity also reported on similar campaigns that mimic chatroom invites for Microsoft Teams and the encrypted messaging application Element, which also lead to Microsoft device authentication pages.The attackers in these campaigns — believed to be conducted by Russian threat actors Volexity tracks as CozyLarch, UTA0304 and UTA0307 — have impersonated officials from the United States Department of State, Ukrainian Ministry of Defence, European Union Parliament and prominent research institutions. The phishing lures often reference current events, such as the election of U.S. President Donald Trump and the new administration’s potential impact on foreign relations.Microsoft and Volexity researchers noted that the campaign is particularly effective due to a combination of factors, including the use of the legitimate device code authentication process rather than phishing websites or malware that would be more easily detectable, as well as the fact that device code authentication phishing is a lesser-known tactic compared with traditional email phishing.Organizations can prevent these attacks by disabling the device code flow for organizational Microsoft 365 accounts and implementing a sign-in risk policy that automatically revokes access tokens for suspicious sign-ins. If a device code phishing attack is suspected, the access token obtained by the attacker can be revoked by calling revokeSignInSessions via Microsoft Graph.
