- Microsoft has spotted a new phishing attack vector in the wild
- Storm-2372 steals access tokens in the Microsoft teams
- The group was linked to Russia to an average confidence
A new phishing campaign has been spotted using “phishing the device code” through Microsoft teams to target governments, NGOs and other industries across Europe, America North, Africa and the Middle East.
The attack, spotted by Microsoft itself, operates the invitations to the videoconference meeting of the teams who encourage the victim to enter a device code generated by the attacker, which means that the victim gives valid access tokens , giving the attacker access to the emails of victims and sensitive data.
Microsoft assesses with an average level of confidence that the group, followed as Storm-2372, acts in accordance with Russian tactics and interests.
Data flight and lateral movement
Microsoft says that the threat actor would first bring about a relationship with the victim thanks to messaging services such as WhatsApp, Signal and Microsoft, positioning himself as an important figure within the victim industry. The attacker then invited the victim to an online meeting, where the victim is invited to complete a request to authenticate the device code.
The actor will generate a request for legitimate device authentication authentication, then send the code to the victim. The victim enters the code in the legitimate authentication service page which allows the attacker to capture access and refreshment tokens to maintain account control.
From there, the attacker will often try to move laterally using valid access tokens, using a search for keywords in the messaging service to collect sensitive data, including user names and Passwords, as well as data related to the administrator, TeamViewer, Anydesk, identification information, secret, ministry and keywords Gov.
The attacker can also use the compromise account for a message or colleagues by email with additional phishing messages. Storm-2372 was also observed using the specific customer ID for Microsoft Authentication Broker to request additional tokens which allows the attacker to record his own devices as an authentication device via the ID .
In order to protect yourself against the specific attack vector used by Storm-2372, Microsoft recommends:
- Disable the device code flow to the extent possible.
- Provide phishing training to all users.
- Reviving access tokens when the Storm-2372 activity is suspected using revokesignines.
- Introduce a policy based on the risk of connection to block access or force multi-factor authentication for high-risk signs.
The complete list of defenses and attenuation can be found here.
