Russian Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts

Microsoft has issued an alert about a sophisticated phishing campaign by Russian hackers, leveraging a deceptive device code authentication trick to hijack Microsoft 365 accounts. These cybercriminals gain unauthorized access to sensitive data across key government and business sectors worldwide.

What is device code phishing?

Device code phishing is a sophisticated phishing technique that leverages the device code authentication flow, which is commonly used for logging printers, smart TVs, and other similar devices that don’t support standard web browsers. The device displays an alphabetic or alphanumeric device code and a link associated with a user account. The user opens the link on a computer, smartphone, or another device to authenticate.

The device code phishing technique lets the attacker trick the user into entering the device code on a malicious link in order to capture the authentication tokens. These tokens allow attackers to gain unauthorized access to the user’s account and any associated data or services.

How does device code phishing work?

According to the Microsoft Threat Intelligence team, the Russian threat actors have been using device code phishing to hijack Microsoft 365 accounts since at least late August 2023. The hacking group first poses as high-ranking officials to begin a conversation on a messaging app like Microsoft Teams, Signal, and WhatsApp.

The attacker first builds trust with the target and then sends a phishing email with a fake Microsoft Teams meeting invite. When the victim clicks the link, they are taken to a legitimate Microsoft login page and asked to enter a device verification code, which is secretly generated by the attacker through Microsoft’s device code authentication flow.

The victim enters the code and authenticates themselves with Microsoft, believing they are logging into a legitimate service. Meanwhile, the attacker captures the valid access token, allowing them to access the victim’s email or cloud storage without needing a password or multi-factor authentication (MFA). The attacker maintains access as long as the authentication tokens remain valid.

“The threat actor uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account,” the Microsoft Threat Intelligence team explained.

Additionally, the Russian hackers used Microsoft Graph to search through the emails of compromised accounts. They looked for specific keywords such as username, password, admin, TeamViewer, any desk, credentials, secret, ministry, and gov. The researchers found that Storm-2372 targeted various sectors, including government, non-government organizations, IT services and technology, health, telecommunications, higher education, as well as oil and gas across North America, Africa, Europe, and the Middle East.

Microsoft has recently noticed that Storm-2372 has changed its tactics. The threat actor group is now using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow, making their attacks more sophisticated and harder to detect.

Microsoft is actively monitoring the activities of Storm-2372 and other similar threat actors and directly notifies the affected individuals or organizations. The company also emphasizes the importance of taking proactive measures to protect against phishing and similar threats.

It’s recommended that administrators should only enable the device code flow for authentication when it’s absolutely necessary. They should also revoke the users’ refresh tokens in case the device code has been phished. Microsoft also advises implementing a conditional access policy that requires users to re-authenticate.