Summary: A threat actor, potentially linked to Russia, is executing device code phishing attacks targeting Microsoft 365 accounts across various sectors in North America, Europe, Africa, and the Middle East. The operation, tracked by Microsoft as ‘Storm-237’, tricks victims into entering attacker-generated codes by masquerading as trusted contacts. This strategy provides the threat actor access to sensitive Microsoft services without needing victim passwords, raising significant security concerns.
Affected: Microsoft 365 users in government, NGO, IT services, technology, defense, telecommunications, health, and energy sectors
Keypoints :
- Storm-2372 uses messaging platforms to build rapport with targets before sending fake meeting invites containing device codes.
- Attackers exploit device code authentication flows, gaining access to victim’s Microsoft services via stolen tokens.
- Microsoft recommends blocking device code flows and implementing conditional access policies to mitigate the phishing threat.