Ethical Hacking News
Device code phishing, a previously overlooked attack method, has been used by Russian spies to hijack Microsoft 365 accounts since last August. The threat actors have successfully exploited the device code flow authentication mechanism, which is designed for logging printers and smart devices into accounts.
Device code phishing attacks have been used by Russian spies to hijack Microsoft 365 accounts since last August. The attack uses the "device code flow" authentication mechanism, designed for logging devices into accounts. Threat actors masquerade as high-ranking officials to gain trust with targeted users and request access to their accounts. Targets are asked to join a Microsoft Teams meeting or give access to applications and data using an external account generated by the attacker. Prominent steps to avoid falling prey include paying close attention to links, confirming app sign-in, and being suspicious of missing options in messages.
Device code phishing, a previously overlooked attack method, has been used by Russian spies to hijack Microsoft 365 accounts since last August. According to researchers at Volexity and Microsoft, threat actors have successfully exploited the "device code flow" authentication mechanism, which is designed for logging printers, smart TVs, and similar devices into accounts.
The device code flow protocol involves displaying an alphabetic or alphanumeric device code on an input-constrained device, along with a link associated with the user account. The user opens the link on a computer or other device that's easier to sign in with, and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.
This attack vector has proven effective because of the ambiguity in the user interface of the device code authorization process. Threat actors have been masquerading as high-ranking officials from organizations such as the United States Department of State, Ukrainian Ministry of Defence, European Union Parliament, and prominent research institutions to gain trust with targeted users.
Once a rapport is built, attackers ask users to join a Microsoft Teams meeting, give access to applications and data as an external Microsoft 365 user, or join a chatroom on a secure chat application. The request includes a link to and an access code, which the threat actor generated using a device they control.
When the target visits the link with a browser authorized to access the Microsoft 365 account and enters the code, the attacker device gains access that will last as long as the authentication tokens remain valid.
The effectiveness of this attack is largely due to the ease of use and convenience provided by the device code flow protocol. By leveraging this vulnerability, Russian spies have been able to launch a concerted effort to abuse this method before the targets catch on and implement countermeasures.
Microsoft and Volexity provide various other steps people can take to avoid falling prey to this campaign, including paying close attention to links and pages they lead to, confirming that they're signing into the app they expect, and being suspicious of messages where this option is missing.
In conclusion, device code phishing has emerged as a new vector for nation-state threat actors. Understanding the nature of this attack and taking proactive steps to protect oneself against it are crucial in today's digital landscape.
Related Information:
https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/
Published: Fri Feb 14 16:20:52 2025 by llama3.2 3B Q4_K_M
