Microsoft has issued a critical security warning about an ongoing device code phishing campaign that is actively targeting Microsoft 365 users across various industries. According to the Microsoft Threat Intelligence Center (MSTIC), the attacks are being carried out by a threat actor labeled Storm-2372, which is believed to be linked to a nation-state operation that aligns with Russia’s geopolitical interests.
These sophisticated attacks aim to steal emails and other sensitive data by exploiting the device code authentication flow, a security mechanism commonly used for input-constrained devices like smart TVs, IoT devices, and streaming services. By tricking users into entering malicious authorization codes on legitimate Microsoft sign-in pages, the attackers gain access to victims’ accounts without requiring a password.
Microsoft has urged organizations to take immediate steps to mitigate the risks posed by device code phishing, as the attack method allows hackers to maintain long-term access to compromised accounts and steal critical information undetected.
Who is Being Targeted?
Storm-2372 is focusing on high-value targets across multiple industries, including:
- Government agencies
- Non-Governmental Organizations (NGOs)
- IT services and technology firms
- Defense and military organizations
- Telecommunications companies
- Healthcare institutions
- Energy and oil & gas industries
The campaign has been observed targeting organizations in North America, Europe, Africa, and the Middle East, indicating that the attack is widespread and strategically motivated.
Also Read: How AI Fuels Teen Hackers and Redefines Modern Cybercrime in 2025
Understanding Device Code Phishing Attacks
What is Device Code Authentication?
Many modern devices lack traditional keyboards or browsers, making it difficult for users to sign into applications. To address this, device code authentication allows users to log in by:
- Receiving an authentication code on their device
- Entering the code on a trusted device, such as a phone or computer
- Gaining access to their Microsoft account after verification
While this system is designed to enhance security, it has become a target for cybercriminals who exploit it through phishing tactics.
How Storm-2372 Executes the Attack
Microsoft researchers discovered that since August 2024, the Storm-2372 hacking group has been abusing the device code authentication process to compromise user accounts. The attack follows these steps:
- Social Engineering via Messaging Platforms
- The hackers first establish communication with their target by impersonating a well-known or trusted individual.
- They reach out via WhatsApp, Signal, Microsoft Teams, or email, making the initial interaction seem legitimate.
- Sending a Fake Meeting Invitation
- Once trust is established, the attacker sends a fraudulent meeting invitation containing a malicious device code.
- The email or message mimics legitimate Microsoft Teams invites, tricking the victim into entering the provided code.
- Gaining Unauthorized Access
- The moment the victim enters the attacker-generated device code, Storm-2372 gains access to their Microsoft account.
- The attackers use this access to:
- Harvest emails
- Steal sensitive data from cloud storage
- Monitor user activities
- Extending Their Access
- Microsoft reports that hackers are now leveraging Microsoft Authentication Broker to register new devices using stolen credentials.
- By generating new authentication tokens, they maintain persistent access to the victim’s Microsoft 365 account.
Also Read: Russian Cybercrime Groups Exploit 7-Zip Flaw to Bypass Windows MotW Protections
Potential Impact of Device Code Phishing
These attacks pose a serious risk to organizations, as they allow hackers to:
- Access and exfiltrate confidential information
- Compromise email communications and cloud storage
- Impersonate trusted employees for further phishing attacks
- Conduct prolonged surveillance of targeted entities
Unlike traditional phishing, device code phishing is harder to detect, as it does not require passwords and exploits a legitimate authentication process.
With device code phishing attacks on the rise, organizations must prioritize cybersecurity and implement Microsoft’s recommended security protocols to safeguard sensitive data from cyber threats.
Defensive Measures Against Device Code Phishing
Microsoft’s Recommendations
To protect against device code phishing, Microsoft urges organizations to implement the following security measures:
1. Block Device Code Flow Where Possible
- Organizations should disable device code authentication unless absolutely necessary.
- IT admins can restrict device authentication through Microsoft Entra ID settings.
2. Enforce Conditional Access Policies
- Organizations should limit device code authentication to trusted networks and devices only.
- Multi-factor authentication (MFA) should be mandatory for all logins.
3. Revoke Compromised Sessions
- If an attack is suspected, immediately revoke the user’s refresh tokens using Microsoft’s ‘revokeSignInSessions’ command.
- Set a Conditional Access Policy to force affected users to re-authenticate securely.
4. Monitor Sign-In Logs for Suspicious Activity
- Security teams should regularly check Microsoft Entra ID sign-in logs for:
- High volumes of authentication attempts in a short period
- Device code logins from unrecognized IPs
- Unexpected device code authentication prompts across multiple users
By following these proactive measures, organizations can significantly reduce the risk of falling victim to Storm-2372’s phishing attacks.
Also Read: EU’s AI Act Loopholes Raise Concerns Over Police and Security Powers
FAQs
1. What is device code phishing?
Device code phishing is a cyber attack where hackers trick users into entering authorization codes on legitimate sign-in pages, granting them access to the victim’s Microsoft account.
2. Who is behind these phishing attacks?
Microsoft has attributed the attacks to Storm-2372, a hacking group with potential ties to Russian state-sponsored cyber operations.
3. What industries are being targeted?
The attackers are targeting government agencies, NGOs, IT firms, defense organizations, telecom companies, healthcare providers, and energy sector businesses.
4. How do hackers gain access to accounts?
Hackers pose as trusted individuals, send fake meeting invitations, and trick users into entering malicious device codes on legitimate Microsoft login pages.
5. What data can hackers steal?
Once inside a victim’s account, hackers can harvest emails, access cloud storage, steal confidential documents, and monitor communications.
6. Can this attack be prevented?
Yes. Organizations can block device code authentication, enforce Conditional Access policies, monitor login activity, and revoke compromised sessions.
7. How long do hackers retain access?
Hackers retain access as long as their stolen authentication tokens remain valid. In some cases, they generate new tokens to maintain persistence.
8. How can organizations detect suspicious logins?
Security teams should monitor Microsoft Entra ID logs for unusual authentication attempts, logins from unrecognized IPs, and unauthorized device registrations.
9. What immediate steps should I take if compromised?
If compromised, immediately revoke access tokens, enforce multi-factor authentication, and reset login credentials for affected users.
10. Where can I get more information?
Microsoft provides real-time security updates through the Microsoft Threat Intelligence Center (MSTIC) and Entra ID security resources.