Ethical Hacking News
Microsoft 365 accounts have been targeted by hackers using a sophisticated phishing campaign that exploits device code authentication flows. The attackers were able to gain unauthorized access to emails and other sensitive data through a threat actor linked to Russia.
Microsoft has been targeted by a sophisticated phishing campaign using device code authentication flows.The attack is attributed to a threat actor potentially linked to Russia and targets individuals in Europe, North America, Africa, and the Middle East.The hackers are tracking their activities under the codename "Storm-237" and have medium confidence that it's connected to a nation-state, specifically Russia.The attack involves using device code phishing to trick users into entering unauthorized authentication codes on legitimate sign-in pages.The threat actor can gain access to emails and other sensitive data by collecting initial access tokens and Graph API data.The attackers have recently evolved their tactics by using a specific client ID in the device code sign-in flow, allowing them to register devices with Microsoft's cloud-based identity solution.Microsoft recommends blocking the device code flow, enforcing Conditional Access policies, revoking refresh tokens, and monitoring for suspicious activity in Entra ID's sign-in logs.
Microsoft has recently fallen victim to a sophisticated phishing campaign that exploits device code authentication flows, allowing hackers to gain unauthorized access to emails and other sensitive data. The attack, attributed to a threat actor potentially linked to Russia, targets individuals in various sectors across Europe, North America, Africa, and the Middle East.
According to Microsoft's Threat Intelligence Center, the hackers are tracking their activities under the codename "Storm-237". Researchers at the center have established medium confidence that this operation is connected to a nation-state, aligning with Russia's interests. The attack involves using device code phishing to trick users into entering unauthorized authentication codes on legitimate sign-in pages.
In order for certain devices, such as smart TVs and IoTs, to authenticate applications, they require users to enter an authorization code on a separate device, like a smartphone or computer. Microsoft researchers discovered that Storm-237 has been abusing this authentication flow by generating fake device codes and tricking users into entering them on legitimate sign-in pages.
The threat actor initiates the attack after establishing a connection with the target through messaging platforms such as WhatsApp, Signal, and Microsoft Teams. The hackers begin to build rapport before sending a fake online meeting invitation via email or message. This invitation contains a device code generated by the attacker, which the victim is tricked into completing a device code authentication request.
The researchers at Microsoft explain that this lures the user into providing initial access to their accounts and enables Graph API data collection activities such as email harvesting. This gives the hackers access to the victim's Microsoft services without needing a password for as long as the stolen tokens remain valid.
However, Storm-237 has recently evolved by using a specific client ID in the device code sign-in flow. This allows them to generate new tokens and opens up new attack possibilities as they can use the client ID to register devices with Entra ID, Microsoft's cloud-based identity and access management solution.
With this refresh token and new device identity, Storm-237 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. Researchers at Microsoft have observed that the connected device is used to collect emails.
To counter these type of device code phishing attacks, Microsoft proposes several defensive measures. Firstly, blocking the device code flow where possible and enforcing Conditional Access policies in Microsoft Entra ID to limit its use to trusted devices or networks. If a suspected device code phishing attack occurs, it is recommended that users immediately revoke their refresh tokens using 'revokeSignInSessions' and set a Conditional Access Policy to force re-authentication for affected users.
Finally, Microsoft Entra ID's sign-in logs are suggested to be used in order to monitor for high volumes of authentication attempts in a short period, device code logins from unrecognized IPs, and unexpected prompts for device code authentication sent to multiple users.
Related Information:
https://www.bleepingcomputer.com/news/security/microsoft-hackers-steal-emails-in-device-code-phishing-attacks/
Published: Sat Feb 15 10:15:09 2025 by llama3.2 3B Q4_K_M
