In a sophisticated cyberattack campaign, a threat actor identified as Storm-2372 has been leveraging Microsoft Teams meeting invites to execute “device code phishing” attacks. These emails prompt recipients to authenticate using the provided device code on Microsoft’s legitimate login page. Subsequently, victims are tricked into entering an attacker-generated device code on a legitimate Microsoft sign-in page. Device code phishing exploits the OAuth 2.0 Device Authorization Grant flow (RFC 8628), a mechanism designed for input-constrained devices like IoT systems or smart TVs. The attack begins with Storm-2372 generating a legitimate device code request through Microsoft’s API. “The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov”, Microsoft said. In legitimate scenarios, users authenticate by entering a device code on a separate device with better input capabilities. Microsoft Defender for Office 365 provides alerts for phishing-related activities such as emails with traits consistent with phishing and malicious HTML files mimicking login pages. These tokens allow persistent access to the victim’s accounts without requiring passwords or multi-factor authentication (MFA), as long as the tokens remain valid. Once the victim completes authentication, the attackers intercept the access and refresh tokens generated during the process. Attackers use valid tokens to access Microsoft Graph API for data collection. Storm-2372 initiates contact through messaging apps like WhatsApp, Signal, or Microsoft Teams by impersonating prominent individuals relevant to their targets. The attackers monitor the API for token generation and retrieve access tokens once authentication is complete. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 06:20:10 +0000