This post is also available in:
עברית (Hebrew)
A new and sophisticated phishing campaign, believed to be orchestrated by Russian threat actors, is wreaking havoc on various industries, including governments and NGOs. According to a warning from Microsoft’s Threat Intelligence Center, this attack, known as “device code phishing,” has been targeting users since August 2024 and remains active.
The phishing tactic centers around fraudulent meeting invitations, which appear to be legitimate invitations from popular platforms like WhatsApp, Signal, or Microsoft Teams. These fake invitations trick users into logging into their accounts, granting the attackers unauthorized access. The attackers exploit the authentication flow used for input-constrained devices, such as smart TVs or gaming consoles, which involve entering a temporary authentication code from one device into a separate one.
In this attack, the hackers first establish trust with the victim before sending a convincing invitation, often appearing to be a legitimate meeting request from platforms like Microsoft Teams. They then generate a valid authentication code linked to their device via a legitimate service, such as Microsoft’s login page, and then send this code to the target in a phishing email. When the victim clicks the link and enters the code on the provided login screen, the attackers gain access to the victim’s account by capturing the authentication token. With this token, the hackers can then access sensitive data and services without needing a password, maintaining access as long as the token remains valid.
In addition to stealing login credentials, the hackers search for sensitive information within user messages. They focus on keywords like “username,” “password,” “admin,” “credentials,” and even “gov” to gain further insights into their target’s operations. Microsoft attributes the campaign to a threat actor they’ve named Storm-2372, which they believe is a Russian state-sponsored group.
Microsoft urges that organizations block device code authentication where possible to mitigate this threat and protect sensitive data from these persistent attackers.
