Source URL: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
Source: Microsoft Security Blog
Title: Storm-2372 conducts device code phishing campaign
Feedly Summary: Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
The post Storm-2372 conducts device code phishing campaign appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
**Summary:** Microsoft has reported on a cyberattack campaign conducted by a group referred to as Storm-2372, believed to be aligned with Russian interests. The group employs a technique known as device code phishing to gain unauthorized access to various organizations, including governments and NGOs. The ongoing investigation highlights the operational methods of Storm-2372 and provides crucial insights into countermeasures to protect against this type of phishing attack.
**Detailed Description:**
The text outlines significant findings from Microsoft related to a sustained cyber campaign led by a threat actor group named Storm-2372. Key points include:
– **Attack Overview:**
– Storm-2372 has been active since August 2024, targeting various sectors including governmental and non-governmental organizations, IT services, telecommunications, and more.
– The group utilizes a phishing technique called “device code phishing,” which exploits legitimate device code authentication flows. Attackers trick users into entering codes that allow them to harvest authentication tokens for persistent access to compromised accounts.
– **Phishing Techniques:**
– The campaign involves lures that mimic messaging app communications (e.g., Microsoft Teams, WhatsApp, Signal). Users are prompted to log in, unknowingly granting access to their accounts.
– Specific phishing scenarios were described, with messages crafted to build rapport before a phishing email is sent out.
– **Implications of Device Code Phishing:**
– Phishing attacks allow attackers to collect sensitive information without requiring passwords, as they rely on authentication tokens which can enable lateral movement within an organization’s network.
– Compromised accounts are exploited for data gathering and further phishing attempts.
– **Mitigation Strategies:**
– Microsoft advises organizations to employ several protective measures, including:
– Restricting the use of device code authentication where possible.
– Educating users on phishing techniques and ensuring clarity in sign-in prompts.
– Implementing multifactor authentication (MFA) and utilizing phishing-resistant authentication methods.
– Centralizing identity management and enforcing strict access controls.
– **Monitoring and Detection:**
– Microsoft Defender XDR and Microsoft Sentinel offer capabilities for detecting phishing attempts and malicious activities related to Storm-2372.
– Specific querying methodologies are provided to help organizations identify suspicious access patterns and potential phishing attempts.
– **Attribution and Threat Intelligence Sharing:**
– Attributed to alleged nation-state actors linked to Russian interests, the report underscores the importance of vigilance against a backdrop of evolving threat landscapes.
– Microsoft continues to disseminate threat intelligence to assist organizations in safeguarding their cybersecurity posture.
**Key Takeaways for Security Professionals:**
– Familiarize with device code phishing tactics to enhance organizational defenses.
– Prioritize user education concerning phishing and credential hygiene.
– Implement robust monitoring using advanced threat detection tools to identify and respond to suspicious activities promptly.
By understanding and addressing the methods employed by Storm-2372, organizations can better prepare themselves against this type of sophisticated phishing attack, ultimately increasing their security resilience.