A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known as “device code phishing” to capture authentication tokens. The campaign uses a phishing technique that tricks users into logging into productivity apps, allowing the attackers to capture authentication tokens that can be used to access compromised accounts. To defend against device code phishing attacks, organizations should restrict the use of device code flows, educate users on phishing tactics, and enforce strong authentication measures such as MFA and phishing-resistant methods like FIDO Tokens. These invitations prompt users to authenticate using a device code, which the attackers use to capture valid access tokens. In device code phishing, attackers generate a legitimate device code request and deceive targets into entering it on a legitimate sign-in page. Security experts at Microsoft noted that it involves entering a numeric or alphanumeric code on a separate device to sign in. This grants the attackers access to authentication and refresh tokens, which they can use to access the target’s accounts and data without needing a password. Device code authentication is a method used to authenticate accounts from devices that cannot perform interactive web-based authentication. After obtaining access tokens, Storm-2372 uses them to move laterally within compromised networks and harvest emails using Microsoft Graph.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Feb 2025 09:50:18 +0000