Device Code Phishing Attack Exploits Authentication Flow to Hijack Tokens

A sophisticated phishing campaign leveraging the device code authentication flow has been identified by Microsoft Threat Intelligence, targeting a wide range of sectors, including government, NGOs, IT services, and critical industries such as defense and energy.

The campaign, attributed to a threat actor known as Storm-2372, has been active since August 2024 and is assessed to align with Russian state interests.

This novel attack method exploits a legitimate authentication mechanism to compromise user accounts and gain unauthorized access to sensitive data.

Exploiting Device Code Authentication

The attack capitalizes on the OAuth 2.0 Device Authorization Grant flow, a protocol designed for authenticating devices with limited input capabilities, such as IoT devices or smart TVs.

In this flow, users authenticate by entering a device code on a separate browser-enabled device.

While this method is secure in its intended use cases, attackers have found ways to manipulate it for malicious purposes.

In the observed campaign, Storm-2372 generates legitimate device codes using APIs and lures victims through phishing emails or messages masquerading as legitimate applications like Microsoft Teams or WhatsApp.

Victims are tricked into entering these codes on legitimate sign-in pages, unknowingly granting attackers access tokens.

These tokens allow the attackers to access accounts and services without needing the victim’s password or multi-factor authentication (MFA), enabling lateral movement within networks and prolonged unauthorized access.

Attack Lifecycle

1. Initial Contact: The attackers pose as trusted individuals or organizations via third-party messaging platforms such as Signal or WhatsApp. They build rapport before sending phishing emails containing fake meeting invitations.
2. Phishing Execution: Victims are directed to enter a device code on a legitimate sign-in page (e.g., Microsoft’s login page). Once authenticated, the attacker intercepts the resulting access tokens.
3. Post-Compromise Activities: Using these tokens, attackers can:

• Access sensitive data via platforms like Microsoft Graph API.
• Harvest credentials and exfiltrate emails.
• Move laterally within the network by sending further phishing emails from compromised accounts.

Microsoft’s investigation revealed that Storm-2372 extensively used keyword searches to extract data related to credentials, administrative access, and government operations.

Organizations are urged to adopt robust measures to mitigate risks associated with device code phishing:

• Restrict Device Code Flow: Disable this authentication method unless absolutely necessary.
• Implement Conditional Access Policies: Use risk-based policies to block or require MFA for suspicious sign-ins.
• Educate Users: Train employees to recognize phishing attempts and validate authentication requests.
• Revoke Compromised Tokens: Regularly audit and revoke suspicious refresh tokens.
• Adopt Phishing-Resistant MFA: Transition to methods like FIDO tokens or app-based passkeys instead of SMS-based MFA.

The exploitation of device code authentication highlights the evolving nature of cyber threats targeting identity systems.

By leveraging trust in legitimate platforms, attackers like Storm-2372 can bypass traditional security measures.

Organizations must remain vigilant, implement advanced detection mechanisms, and educate users about emerging threats to safeguard their digital environments.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free