FlagThis

Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.

Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.

ImgSrc: www.microsoft.c

References :

• www.microsoft.com: Storm-2372 conducts device code phishing campaign
• Volexity :verified:: recently identified multiple Russian threat actors targeting users via + campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success:
• cyberscoop.com: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
• The Register - Security: If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish
• Microsoft Security Blog: Storm-2372 conducts device code phishing campaign
• www.volexity.com: Volexity: Multiple Russian threat actors have been identified targeting Microsoft 365 accounts through Device Code Authentication phishing campaigns, according to Volexity. These attacks, which began in mid-January 2025, involve social engineering and spear-phishing tactics, often masquerading as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence.
• cyberinsider.com: Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts
• Threats | CyberScoop: Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts
• Security Risk Advisors: Attackers Exploit Device Code Phishing to Hijack Microsoft Accounts in Global Storm-2372 Drive
• The Hacker News: Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts
• www.helpnetsecurity.com: Discussion of the ongoing Microsoft 365 campaign.
• www.infosecurity-magazine.com: More details about the ongoing Microsoft 365 campaign.
• arstechnica.com: Russian spies use device code phishing to hijack Microsoft accounts
• securityaffairs.com: Storm-2372 used the device code phishing technique since August 2024
• Christoffer S.: Volexity report on multiple Russian threat actors targeting Microsoft 365 accounts via Device Code Authentication phishing campaigns
• BleepingComputer: An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing.
• www.bleepingcomputer.com: Microsoft Hackers Steal Emails in Device Code Phishing Attacks
• securityaffairs.com: Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries.
• Graham Cluley: Got a Microsoft Teams invite? Storm-2372 gang exploit device codes in global phishing attacks
• Email Security - Blog: Security Alert: Device Code Authentication Phishing Attack

Classification:

• HashTags: #Phishing #DeviceCode #Microsoft365
• Company: Microsoft
• Target: Microsoft 365 users
• Attacker: Russian threat actors
• Product: Microsoft 365
• Feature: Device Code Authentication Phi
• Type: Phishing
• Severity: High