- Microsoft has seen a new phishing -attack vector in nature
- Storm-2372 steals the access tokens through Microsoft team
- The group has been attached to Russia with medium confidence
A new phishing campaign has been viewed using ‘Device Code Phishing’ through Microsoft Teams to target governments, NGOs and other industries throughout Europe, North America, Africa and the Middle East.
The attack, discovered by Microsoft himself, exploits Team’s video conference invitations that ask the victim to enter a device code generated by the striker, resulting in the victim handing over valid access tokens, giving the striker access to victims -e emails and sensitive Data.
With a medium level of confidence, Microsoft estimates that the group traced as Storm-2372 is in line with Russian tactics and interests.
Data theft and Lateral Movement
Microsoft says the threat actor would first build a report with the victim through Messaging services such as WhatsApp, Signal and Microsoft Teams, which places themselves as an important figure in the victim’s industry. The striker then invites the victim to an online meeting where the victim is asked to fill out a request for Device Code approval.
The actor generates a legitimate request for hiring the device code and then sends the code to the victim. The victim enters the code on the Legitimate Authentication Service page, which allows the striker to capture access and update tokens to maintain control of the account.
From there, the striker will often try to move in laterally using the valid access tokens using a key word search in the message service to harvest sensitive data including usernames and passwords as well as data related to the administrator, TeamViewer, command, credentials, secret, ministry and gov – Keywords.
The striker can also use the compromised account for message or e -mail colleagues with additional phishing messages. Storm-2372 has also been observed using the specific client ID to Microsoft approval broker to request additional tokens that allow the striker to register their own devices as an approval unit via Entra ID.
To protect against the specific attack vector used by Storm-2372, Microsoft recommends:
- Disabling Device Code Flow where possible.
- Give phishing training to all users.
- Back access to access tokenes when Storm-2372 activity is suspected using Revocersignin sessions.
- Introduce a login risk-based policy to block access or force multifactor approval to high-risk signs.
The full list of defense and mitigation can be found here.
