Russian state-backed advanced persistent threat (APT) group Storm-2372 has exploited device code phishing to bypass multi-factor authentication (MFA) and infiltrate high-value targets across governments, NGOs, and critical industries.
Since August 2024, this group has weaponized the OAuth device authorization flow—a legitimate authentication mechanism—to hijack user sessions and exfiltrate sensitive data.
Microsoft Threat Intelligence researchers, alongside cybersecurity firms like SOCRadar and Volexity, have traced these attacks to strategic sectors in Europe, North America, Africa, and the Middle East, underscoring the growing sophistication of identity-based threats.
.png
)
Device code phishing exploits the OAuth device authorization flow, a protocol designed for devices with limited input capabilities, such as smart TVs or printers.
Attackers generate a legitimate device code through platforms like Microsoft Azure and embed it into phishing lures disguised as urgent meeting invitations via email, SMS, or messaging apps like Teams, WhatsApp, or Signal.
Victims are directed to a genuine login portal (e.g., Microsoft’s authentication page) and prompted to enter the attacker-provided code.
Once submitted, the attacker captures the resulting access and refresh tokens, granting persistent access to the victim’s account without triggering MFA challenges.
This technique’s effectiveness lies in its abuse of trusted interfaces. Unlike traditional phishing, which relies on spoofed login pages, device code phishing leverages legitimate authentication workflows, making detection exceptionally challenging.
As noted by Microsoft, Storm-2372’s campaigns often mimic corporate communication templates, such as Teams meeting invites, to lull targets into a false sense of security.
The captured tokens enable lateral movement within networks, allowing attackers to scrape emails, compromise additional accounts, and exfiltrate data via Microsoft Graph API.
High-Value Targets and Global Reach: A Strategic Assault on Critical Infrastructure
Storm-2372’s campaign has prioritized organizations with access to geopolitical intelligence, economic data, and infrastructure control systems.
Government agencies, defense contractors, and telecommunications firms in Ukraine, Germany, and the U.S. have been primary targets, alongside NGOs involved in humanitarian aid and energy sectors in the Middle East.
The group’s focus on IT services and higher education institutions suggests an interest in intellectual property and research data, potentially aiding Russia’s technological and military objectives.
Microsoft’s analysis reveals that attackers often impersonate high-ranking officials or IT administrators to build rapport with targets before delivering phishing payloads.
For example, a fabricated Teams meeting invite might include a device code labeled as a “meeting ID,” prompting the victim to authenticate through Microsoft’s legitimate portal.
Once inside, Storm-2372 uses keyword searches (e.g., “credentials,” “ministry,” “admin”) to identify and exfiltrate sensitive emails, bypassing traditional email security tools by leveraging sanctioned APIs like Microsoft Graph.
Mitigating the Threat: Adaptive Defenses for an Evolving Landscape
To counter device code phishing, experts emphasize a shift from static security policies to adaptive, context-aware defenses.
Microsoft recommends enforcing Conditional Access Policies that restrict logins based on device compliance, geographic location, and user risk profiles.
Organizations are also urged to audit third-party OAuth applications and revoke unnecessary permissions, as attackers often exploit poorly configured app registrations to maintain persistence.
Replacing SMS-based MFA with phishing-resistant methods like FIDO2 security keys can eliminate token theft risks.
Simultaneously, employee training programs must evolve to address social engineering tactics specific to device code phishing.
For instance, users should be trained to verify the legitimacy of unexpected authentication requests, even if they appear to originate from trusted platforms.
Technological solutions such as browser isolation and real-time session monitoring can detect anomalous token usage.
Menlo Security’s HEATcheck framework, for example, identifies evasive behaviors in browser sessions, blocking malicious activity before token exfiltration occurs.
Additionally, logging and analyzing Azure AD sign-in attempts for unrecognized device codes or abnormal token lifetimes can provide early warnings of compromise.
Storm-2372’s campaign exemplifies the blurred line between legitimate authentication workflows and weaponized attack vectors.
As nation-state actors increasingly exploit trust in ubiquitous platforms like Microsoft 365, organizations must adopt layered defenses that blend technical controls, continuous monitoring, and user education.
The rise of device code phishing underscores a broader trend: in an era where identity is the new perimeter, resilience hinges on anticipating adversarial innovation and rethinking legacy security paradigms.
By integrating threat intelligence with adaptive policies, enterprises can mitigate risks posed by Storm-2372 and similar APTs, safeguarding critical assets in an increasingly volatile cyber landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 group Storm-2372 has exploited device code phishing to bypass MFA.){kind=link}