Russian Hackers Exploit ‘Device Code’ Phishing to Hijack Microsoft Accounts

Microsoft has uncovered a phishing campaign by the suspected Russian threat group Storm-2372, exploiting device code authentication to infiltrate critical organizations. Attackers use messaging apps and fake Microsoft Teams invites to trick victims into granting access, allowing them to steal data and move laterally within networks. Cybersecurity firm Volexity has observed similar tactics used by multiple Russian-linked groups, highlighting the growing threat of device code phishing attacks.

Russian Hackers Exploit ‘Device Code’ Phishing to Hijack Microsoft Accounts

Microsoft threat researchers have identified a sophisticated phishing campaign exploiting “device code” authentication, enabling a suspected Russia-aligned threat group to infiltrate and steal data from critical organizations. The group, tracked by Microsoft as Storm-2372, has primarily targeted governments, IT service providers, and organizations in telecommunications, healthcare, higher education, and energy across Europe, North America, Africa, and the Middle East.

According to Microsoft’s findings, Storm-2372 deceives victims by generating legitimate device code sign-in requests and convincing them to enter the codes on a login page for productivity apps. This technique allows the attackers to acquire authentication tokens, facilitating lateral movement within compromised networks and enabling data exfiltration.

Microsoft’s Director of Threat Intelligence Strategy, Sherrod DeGrippo, noted that these attacks have been effective, although Microsoft itself has not been impacted. While the company declined to specify the number of affected accounts or organizations, it confirmed that the campaign has been ongoing since August 2024.

The attack chain begins with phishing attempts via messaging platforms such as Microsoft Teams, WhatsApp, and Signal. Storm-2372 often impersonates high-profile individuals to build trust with targets before sending fraudulent Microsoft Teams meeting invitations. These fake invites contain a device code authentication request disguised as a meeting ID. When victims enter the code, they unknowingly provide attackers with access to their accounts.

Once inside a compromised account, the attackers escalate their intrusion by sending additional phishing emails containing device code authentication requests to other users within the same organization. This tactic broadens their reach, potentially compromising an entire network.

Storm-2372 also exploits Microsoft Graph to search through emails for sensitive keywords such as “username,” “password,” “admin,” “credentials,” “ministry,” and “gov.” Once relevant emails are identified, the attackers extract the data via Microsoft Graph, further compromising security. Microsoft has warned that as long as the stolen authentication tokens remain valid, the attackers could maintain persistent access to affected accounts.

Microsoft classifies Storm-2372 as an emerging threat group under its “Storm” taxonomy, which designates clusters of cyber activity that are not yet fully attributed. The company believes with medium confidence that Storm-2372 aligns with Russian geopolitical interests.

Additionally, cybersecurity firm Volexity has identified similar phishing campaigns carried out by multiple Russian nation-state threat groups, including Midnight Blizzard (also known as CozyLarch), UTA0304, and UTA0307. These groups have also leveraged device code phishing techniques to compromise Microsoft 365 accounts.

Volexity researchers observed distinct post-exploitation activities among the different threat actors, but all shared a common attack vector—device code authentication phishing lures. The firm maintains medium confidence that one of the groups is affiliated with Midnight Blizzard, while the other clusters remain separately tracked.

In a particularly targeted attack, an adversary posing as a high-ranking official from Ukraine’s Ministry of Defense reached out to a victim via Signal. After establishing trust, the attacker followed up with an email designed to appear as an invitation to a secure chat on the messaging platform Element. However, the link in the email redirected the victim to a site that generated a device code, which the attacker used to access the victim’s account.

Both Microsoft and Volexity emphasize the growing use of device code phishing as a potent cyber-espionage tactic. These findings highlight the need for enhanced security protocols, including multi-factor authentication (MFA) and behavioral analytics, to counter such sophisticated threats.