Executive Summary

The Storm-2372 device code phishing campaign presents a notable threat in the cybersecurity landscape, attributed to a nation-state actor suspected of supporting Russian interests. Commencing around August 2024, this campaign has primarily targeted government entities, NGOs, IT services, and other critical sectors such as defense, telecommunications, healthcare, higher education, and energy across Europe, North America, Africa, and the Middle East. The campaign leverages a sophisticated technique exploiting the device code authentication flow to capture authentication tokens, facilitating unauthorized access to sensitive accounts and data.

Impact Assessment

Storm-2372's activities have the potential to cause significant disruptions across targeted sectors. By gaining unauthorized access, threat actors can exfiltrate sensitive data, disrupt operations, and compromise organizational integrity. The sectors targeted include but are not limited to governments, NGOs, IT services, telecommunications, and energy sectors, which are vital to national and economic security.

Threat Actor Details

The threat actor, identified as Storm-2372, is suspected of being aligned with Russian strategic interests. This group employs advanced tactics to maintain persistence and leverage compromised systems for further infiltration and data collection. Their operations reflect a high level of sophistication and adaptability, indicative of nation-state capabilities.

Technical Details and IOCs

The primary technique involves phishing emails masquerading as legitimate Microsoft Teams invitations. Users are prompted to authenticate using a device code on genuine sign-in pages, inadvertently providing the threat actor with access tokens. These tokens are then used to exploit Microsoft Graph API for data exfiltration. Observed Indicators of Compromise (IOCs) include phishing emails from domains resembling Microsoft services, unusual sign-in activities, and unexpected requests for device code authentication.

Affected Systems and Services

Systems utilizing Microsoft authentication flows, particularly those integrating Microsoft Teams and Graph API, are at risk. The affected services include but are not limited to Microsoft 365, Azure AD, and any applications relying on device code authentication. Organizations with lax Conditional Access policies or insufficient MFA implementation are particularly vulnerable.

Timeline of Events

The campaign has been active since August 2024, with a surge in phishing activities observed in late 2024. The threat actor has continuously refined their tactics, as evidenced by the use of specific client IDs to bypass traditional security measures and maintain access to compromised accounts.

Prioritized Mitigation Steps

Organizations are urged to implement several mitigation strategies to counteract the threat posed by Storm-2372. These include restricting or blocking device code flows in Conditional Access policies, educating users on phishing identification and verification of sign-in prompts, revoking potentially compromised tokens, and enforcing multifactor authentication (MFA). Additionally, monitoring for anomalous sign-in activities and centralizing identity management can aid in mitigating risks.

Detection Methods

To effectively detect and respond to these threats, organizations should deploy advanced security monitoring solutions with capabilities to identify anomalous sign-in behaviors, phishing attempts, and unauthorized access to sensitive applications. Regularly reviewing sign-in risk policies and utilizing identity protection tools will enhance detection capabilities.

References and Advisories

For detailed technical insights and guidance, please refer to the following resources:

• Microsoft Security Blog on Storm-2372 campaign: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
• Volexity's publication on similar attack techniques
• Black Hills Information Security's analysis of Dynamic Device Code Phishing: https://www.blackhillsinfosec.com/dynamic-device-code-phishing/
• Huntress Blog on Device Code Phishing in Google Cloud and Azure: https://www.huntress.com/blog/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure

About Rescana

Rescana is committed to helping organizations navigate the complex cybersecurity landscape through our comprehensive Third Party Risk Management (TPRM) platform. We provide tailored solutions to enhance your security posture and protect against evolving cyber threats. For further inquiries or assistance, please contact our cybersecurity team at ops@rescana.com.