Microsoft 365 targeted in new phishing campaign linked to Russia

Microsoft Threat Intelligence warns that government, NGOs, defence, energy and technology sectors are the focus of Russia-linked Storm-2372 threat actor

Microsoft Threat Intelligence has warned of a new phishing campaign targeting government, NGO, defence, technology and other critical sectors in Europe, North America, Africa and the Middle East.

Microsoft believes that the attacks are the work of a threat actor linked with Russia, a group it has labelled Storm-2372.

“The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions,” the company warned in a blog posting.

The group contacts their targets via Signal, WhatsApp or Microsoft Teams, posing as someone from an organisation the target does business or communicates with. Over a series of messages, they build up confidence via these messaging apps or email, before sending over a bogus meeting invitation that includes a device-code generated by the attacker.

“The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities,” Microsoft warns. The attackers are therefore able to access the target’s Microsoft 365 services without requiring a password, as long as the compromised tokens remain valid.

Microsoft explains: “The attacks use a specific phishing technique called ‘device code phishing’ that tricks users to log into productivity apps, while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts.

“In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.”

Moreover, over the past week Microsoft Threat Intelligence has noticed a ratcheting up of the threat with “Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow. Using this client ID enables Storm-2372 to receive a refresh token that can be used to request another token for the device registration service, and then register an actor-controlled device within Entra ID”, Microsoft's cloud-based identity and access management solution

This enables the threat actor to maintain persistence in the target organisation’s systems – not just until the compromised token is discarded.

The company has published a range of mitigations and best practice to help organisations defend against this new threat.

These include only allowing device code flow where necessary, blocking it where possible, and configuring Entra ID’s device code flow accordingly under its Conditional Access policies.

Where compromise is suspected, revoking a user's refresh tokens and setting up a Conditional Access Policy to force re-authentication for all users.

And, implementing a sign-in risk policy to automate responses to sign-ins identified as potentially risky. “A sign-in risk represents the probability that a given authentication request isn’t authorised by the identity owner. A sign-in risk-based policy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates the risk level of a specific user or group.”

Russian threat actors have been particularly active of late, with reports of a Microsoft support scam perpetrated by crime gangs located in Russia, reported by Computing only last month.

In November last year, the government warned of looming Russian cyber-attack threat, suggesting that the Russian government could strike critical infrastructure and businesses across both the UK and NATO member states.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.