Microsoft has recently uncovered a large-scale phishing campaign conducted by the Storm-2372 group, targeting Microsoft 365 accounts. The attacks are specifically aimed at state-core organizations, NGOs, IT companies, defense enterprises, telecommunications and energy sectors, as well as the healthcare sector in Europe, North America, Africa, and the Middle East. One of the key aspects of this campaign is the use of phishing technology with device codes, allowing hackers to bypass traditional authentication methods.
Utilizing tactics of social engineering, the attackers impersonate influential individuals and establish contact with the victim through platforms like WhatsApp, Signal, or Microsoft Teams. They then send a fake invitation to an online meeting with a pre-generated code for entry. Once the victim enters the code on the official Microsoft authorization page, cybercriminals gain access tokens without the need for a password, enabling them to extract emails, cloud files, and other corporate data.
The Storm-2372 group also leverages the Microsoft Graph API to search for compromised mailboxes using specific keywords. Upon identifying crucial messages, a massive exfiltration of data takes place. In a new phase of the attack, the hackers have started using the Microsoft Authentication Broker client identifier, enabling the generation of new access tokens for further network actions.
Microsoft recommends organizations take several measures to prevent compromise, such as disabling authentication by device code, utilizing Conditional Access policies in Entra ID, revoking stolen tokens, imposing additional requirements for suspicious users, and monitoring abnormal activity in Entra ID. Users are advised to be cautious when using unfamiliar devices and refrain from entering authentication codes through unofficial channels.
As Microsoft continues to monitor the Storm-2372 group’s activities, organizations are encouraged to remain vigilant and be aware of potential compromises to their Microsoft 365 accounts.