Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass multi-factor authentication (MFA) and steal access tokens.
The report states that Storm-2372, which it links to Russia with ‘medium confidence’, has been conducting an active and successful device code phishing campaign since August 2024.
It has been observed targeting governments, NGOs, as well as organizations in the IT, defense, telecoms, health, energy, and education sector across multiple regions, Microsoft added.
The technique, device code phishing, takes advantage of an industry standard authentication practice for devices that cannot perform authentication using a web flow and must use another device to sign in.
Attackers first initiate the authentication flow by requesting a device code from the targeted service, and then send the code to the victim under the guise of an invite to a Teams meeting or a registration code, for example.
The target will go through their usual authentication process entering their username, password, and MFA credentials into the legitimate service portal, but once the service generates access the threat actor can recover the access token.
Cybersecurity company Volexity recently published a report stating it has observed multiple campaigns conducted by a number of Russian threat actors using the device code phishing technique.
It noted that because the attacks do not follow the typical phishing workflow that users may be aware of it is less likely to raise their suspicions, and as such are a particularly effective phishing technique.
“What Volexity has observed is that this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
Device code phishing could become new go-to for hackers
Security experts have warned that this tactic could become increasingly common amongst threat actors as it can get around additional security layers that prevent more rudimentary phishing attacks.
Speaking to ITPro, Amir Sadon, director of research at Sygnia, said that this approach is a relatively new technique that he expects to become more popular among more sophisticated groups due to its efficacy.
“Microsoft’s latest blog on Storm-2372 highlights a rather new and highly creative MFA bypass technique known as device code phishing. Sygnia’s Incident Response teams have investigated multiple cases where attackers employed a variety of MFA bypass techniques, so we can only assume that new vectors such as device code phishing will be increasingly leveraged as a sophisticated method for account compromise.”
He noted that as protective measures like MFA become increasingly common, cyber criminals will have to adopt new tactics such as these to compromise accounts.
“As awareness of traditional phishing improves and MFA adoption becomes widespread, attackers are shifting to more advanced social engineering tactics, including OAuth-based attacks that bypass MFA entirely.”
David Sancho, senior threat researcher at Trend Micro, told ITPro that this approach is becoming a new favourite amongst attackers, stating the most common variant of the attack recorded by Trend Micro uses QR codes to take advantage of lax mobile security.
“Device code phishing is becoming a common attack technique. The key to the attack is forcing a device switch to circumvent desktop defences. The most popular strategy we are seeing uses QR authentication codes,” he warned.
“These QR codes are supposed to work as a two-factor authentication method for a ‘document’ the attacker is sending to victims. Once the QR code is scanned with a phone, a phishing page is presented to the user with an Office365 authentication screen. This works because the attacker can pick up the corporate login of the employee without a URL filter. This is assuming the phone is not protected, which they usually aren’t.”
