2025-02-22 02:07:05 Pacfic
Microsoft Outlook Exploit Campaign - 6d
Microsoft has discovered an active device code phishing campaign orchestrated by a threat actor tracked as Storm-2372, which Microsoft assesses with medium confidence aligns with Russia's interests. This campaign has been ongoing since August 2024, with attackers using lures resembling messaging app experiences such as WhatsApp, Signal, and Microsoft Teams to deceive targets. These attacks aim to trick users into logging into productivity apps, allowing Storm-2372 to capture login information and tokens to access compromised accounts.
Storm-2372's targets span government entities, NGOs, IT services, and sectors including technology, defense, telecommunications, health, higher education, and energy/oil and gas across Europe, North America, Africa, and the Middle East. The threat actors exploit the device code authentication flow to capture authentication tokens, gaining access to target accounts, data, and services. This technique enables persistent access as long as the tokens remain valid, making it an attractive attack vector. Researchers have also exposed “BadPilot,” a subgroup aiding Kremlin-backed hackers in global cyberattacks.
ImgSrc: www.microsoft.com
References:
- www.microsoft.com - Storm-2372 conducts device code phishing campaign - 6d
- @volexity - recently identified multiple Russian threat actors targeting users via + campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: - 6d
- cyberscoop.com - Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts - 5d
- The Register - Security: Cyber-crime - If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish - 5d
- Microsoft Security Blog - Storm-2372 conducts device code phishing campaign - 5d
- www.volexity.com - Volexity: Multiple Russian threat actors have been identified targeting Microsoft 365 accounts through Device Code Authentication phishing campaigns, according to Volexity. These attacks, which began - 5d
- cyberinsider.com - Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts - 5d
- Threats | CyberScoop - Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts - 5d
- Security Risk Advisors - Attackers Exploit Device Code Phishing to Hijack Microsoft Accounts in Global Storm-2372 Drive - 5d
- The Hacker News - Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts - 5d
- Security Affairs - Storm-2372 used the device code phishing technique since August 2024 - 5d
- arstechnica.com - Russian spies use device code phishing to hijack Microsoft accounts - 5d
- www.helpnetsecurity.com - Discussion of the ongoing Microsoft 365 campaign. - 5d
- www.infosecurity-magazine.com - More details about the ongoing Microsoft 365 campaign. - 5d
- sra.io - SRA.IO's coverage of Storm-2372 using device code phishing. - 4d
- @nopatience - Volexity report on multiple Russian threat actors targeting Microsoft 365 accounts via Device Code Authentication phishing campaigns - 4d
- @BleepingComputer - An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing. - 3d
- Microsoft 365 Blog - Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. - 3d
- www.bleepingcomputer.com - Microsoft Hackers Steal Emails in Device Code Phishing Attacks - 3d
- Security Affairs - Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries. - 3d
- Graham Cluley - Security experts have warned that a cybercriminal group has been running a malicious and inventive phishing campaign since August 2024 to break into organizations across Europe, North America, Africa, - 3d
- industrialcyber.co - Microsoft details Russia-linked cyberattacks by Storm-2372 targeting governments, NGOs, critical infrastructure - 3d
- Email Security - Blog - Security Alert: Device Code Authentication Phishing Attack - 3d
Classification:
- HashTags: Cybersecurity Phishing Malware
- Company: Microsoft
- Target: Global Organizations
- Attacker: Storm-2372
- Product: Microsoft Outlook
- Feature: Device Code Authentication
- Type: Hack
- Severity: Medium