Executive Summary

A sophisticated campaign orchestrated by Russia-linked threat actors has been observed leveraging the Microsoft 365 OAuth device code authentication flow to facilitate large-scale account takeovers. This attack, attributed to the group tracked as Storm-2372, exploits legitimate device code login mechanisms to harvest authentication tokens, bypassing traditional credential-based security controls. The campaign, active since at least August 2024, targets a broad spectrum of organizations, including government agencies, non-governmental organizations, technology firms, defense contractors, telecommunications providers, healthcare institutions, higher education, and energy sector entities across Europe, North America, Africa, and the Middle East. The attackers’ use of advanced social engineering, combined with technical abuse of the device code flow, enables persistent and stealthy access to sensitive cloud resources, posing a critical risk to enterprise security.

Threat Actor Profile

Storm-2372 is a Russia-aligned advanced persistent threat (APT) group, temporarily designated by Microsoft. The group’s operational patterns, infrastructure, and targeting align with Russian state interests and tradecraft. Storm-2372 is known for its agility in adopting novel attack vectors and its focus on high-value targets, particularly those involved in government, defense, critical infrastructure, and policy-making. The group employs a combination of technical sophistication and social engineering, often impersonating trusted individuals or organizations to increase the success rate of their phishing campaigns. Their operations are characterized by the use of regionally appropriate proxies, multi-stage phishing lures, and rapid lateral movement within compromised environments.

Technical Analysis of Malware/TTPs

The core of the attack leverages the OAuth 2.0 device code grant flow, a legitimate authentication mechanism designed for devices with limited input capabilities. The attacker initiates a device code request using a valid Microsoft client ID, such as the Microsoft Authentication Broker. The victim is socially engineered—typically via a fake Microsoft Teams invitation, WhatsApp, Signal, or email—to visit the legitimate microsoft.com/devicelogin page and enter a device code provided by the attacker.

Upon entering the code, the victim unknowingly authorizes the attacker’s device or application, resulting in the issuance of access and refresh tokens. These tokens grant the attacker persistent access to the victim’s Microsoft 365 account, including Exchange Online, SharePoint, OneDrive, and other integrated services. The attacker can then use the Microsoft Graph API to enumerate mailboxes, search for sensitive keywords (such as “username”, “password”, “admin”, “teamviewer”, “anydesk”, “credentials”, “secret”, “ministry”, and “gov”), and exfiltrate data.

A recent evolution in the campaign involves the use of the Microsoft Authentication Broker client ID, which allows the attacker to register actor-controlled devices in Microsoft Entra ID (formerly Azure Active Directory). This enables the acquisition of Primary Refresh Tokens (PRTs), facilitating deeper and more persistent access, including the ability to bypass some multi-factor authentication (MFA) controls and maintain access even after password resets.

The attackers also employ regionally appropriate proxy infrastructure to obfuscate their origin and evade geo-based detection mechanisms. Lateral movement is achieved by using compromised accounts to send further phishing lures internally, increasing the blast radius of the attack.

Exploitation in the Wild

Since August 2024, multiple incidents have been confirmed where organizations across various sectors have experienced unauthorized access to their Microsoft 365 environments. The attackers have demonstrated the ability to move laterally, escalate privileges, and maintain persistence for extended periods. Notably, the use of legitimate Microsoft authentication flows and infrastructure makes detection challenging, as traditional security controls may not flag these activities as anomalous.

Research by Microsoft and Volexity has documented ongoing exploitation, with evidence of successful breaches, data exfiltration, and internal phishing campaigns originating from compromised accounts. The attackers’ use of legitimate URLs, such as microsoft.com/devicelogin and login.microsoftonline.com/common/oauth2/deviceauth, further complicates detection efforts.

Victimology and Targeting

The targeting profile of Storm-2372 is broad yet focused on high-value entities. Victims include government ministries, diplomatic missions, defense contractors, critical infrastructure providers (energy, oil and gas, telecommunications), healthcare organizations, universities, and technology firms. The campaign has a global reach, with confirmed incidents in Europe, North America, Africa, and the Middle East.

The attackers tailor their social engineering lures to the regional and organizational context of their targets, often impersonating trusted contacts or referencing topical events to increase credibility. The use of messaging platforms such as WhatsApp, Signal, and Microsoft Teams for initial contact reflects an understanding of modern communication patterns within target organizations.

Mitigation and Countermeasures

To defend against this advanced threat, organizations should implement a multi-layered approach focusing on both technical controls and user awareness. Restrict the use of the device code flow in Microsoft Entra ID by configuring Conditional Access policies to block or limit device code authentication where not explicitly required. Educate users to recognize and report suspicious authentication prompts, especially those involving device codes or unexpected login requests.

Enforce phishing-resistant MFA methods, such as FIDO2 security keys or the Microsoft Authenticator app with passkey support, to reduce the risk of token-based attacks. Regularly monitor for anomalous device registrations in Entra ID, particularly those occurring in close temporal proximity to suspicious sign-ins. Utilize Microsoft Defender XDR and Microsoft Sentinel to hunt for indicators of compromise, such as unusual access patterns, new device registrations, and the use of suspicious client IDs.

If compromise is suspected, immediately revoke user refresh tokens using the revokeSignInSessions API or equivalent administrative actions. Audit privileged accounts and enforce least privilege principles to limit the potential impact of account takeovers. Block legacy authentication protocols that do not support modern security controls, and centralize identity management to ensure comprehensive logging and monitoring of all authentication events.

Continuous user education is critical. Conduct regular phishing simulations and awareness training to ensure users are vigilant against social engineering tactics. Encourage users to verify the legitimacy of unexpected authentication requests, especially those received via messaging platforms or referencing urgent meetings and events.

References

Microsoft Security Blog: Storm-2372 conducts device code phishing campaign

Volexity: Dangerous Invitations – Russian Threat Actor Spoofs European Security Events

The Hacker News: Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Black Hills InfoSec: Dynamic Device Code Phishing

Huntress: OAuth 2.0 Device Code Phishing in Google Cloud and Azure

Secureworks: Family of Client IDs Research

MITRE ATT&CK: T1566.001, T1550.001, T1078, T1110.003, T1114, T1557

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced analytics, continuous monitoring, and threat intelligence to deliver actionable insights, empowering security teams to proactively manage risk and ensure compliance. For more information about how Rescana can help strengthen your organization’s cyber resilience, we are happy to answer questions at ops@rescana.com.