Storm-2372: The Sneaky Phishing Attack Targeting Microsoft Teams Users

A new cyberthreat has emerged that’s causing concern among organizations worldwide. Meet Storm-2372, a sophisticated hacking group believed to be linked to Russian interests, who have been quietly infiltrating networks since August 2024.

The Clever Trick: Device Code Phishing

At the heart of Storm-2372’s strategy is a technique called “device code phishing.” Here’s how it works:

1. The attackers first build trust with their targets through messaging apps like WhatsApp, Signal, or Microsoft Teams, posing as important figures in the victim’s industry.
2. They then send a fake Microsoft Teams meeting invitation to the unsuspecting victim.
3. When the victim clicks on the invitation, they’re prompted to enter a device code, which the attackers have already generated.
4. By entering this code on a legitimate Microsoft sign-in page, the victim unknowingly hands over their access tokens to the attackers.

Why It’s Dangerous

This method is particularly sneaky because it bypasses traditional security measures like passwords and multi-factor authentication. Once the attackers have the access tokens, they can freely roam through the victim’s Microsoft 365 account, accessing emails, cloud storage, and other sensitive data.

Who’s at Risk?

Storm-2372 isn’t picky about its targets. They’ve set their sights on a wide range of sectors, including:

• Government agencies
• Non-governmental organizations (NGOs)
• IT services and technology companies
• Defence contractors
• Telecommunications providers
• Healthcare organizations
• Educational institutions
• Energy and oil companies

Their attacks have spanned across Europe, North America, Africa, and the Middle East, showing the global reach of this threat.

What Happens After the Attack?

Once inside a network, Storm-2372 doesn’t waste time. They use their ill-gotten access to search through emails for sensitive information, using keywords like “username,” “password,” “admin,” and “credentials”. They’re also known to send phishing messages to other users within the organization, expanding their reach and potentially compromising more accounts.

Protecting Yourself and Your Organization

While the situation might seem dire, there are steps you can take to protect yourself:

1. Be wary of unexpected meeting invitations, especially from unfamiliar sources.
2. Double-check with colleagues through a different communication channel if you receive a suspicious invitation.
3. Organizations should consider disabling device code authentication where possible and implement strict access policies. See below for more information on this.

Disabling Device Code Authentication

Device code authentication is a legitimate feature that allows users to sign in to devices without a proper keyboard or web browser, like smart TVs or IoT devices. However, it can be exploited by attackers in phishing campaigns. Here’s what disabling it means:

1. Blocking the authentication flow: Organizations can create a Conditional Access policy in Microsoft Entra ID (formerly Azure AD) to prevent the use of device code authentication.
2. Impact on legitimate use: Before implementing this policy, it’s crucial to evaluate if your organization uses device code authentication for legitimate purposes, such as Microsoft Teams Room devices or developer tools.
3. Gradual implementation: Start by enabling the policy in “report-only” mode to assess its impact on your users before fully enforcing it.

Implementing Strict Access Policies

Implementing strict access policies involves several best practices:

1. Role-based access control (RBAC): Define clear user roles and ensure each user has access only to the tools and data necessary for their job functions.
2. Principle of least privilege: Grant users’ minimal access to data and applications, reducing the potential damage if an account is compromised.
3. Multi-factor authentication (MFA): Require more than one form of authentication for accessing critical assets. This significantly increases security, even if a password is compromised.
4. Device compliance: Configure policies to allow access only from devices marked as compliant or hybrid-joined to your organization’s network.
5. Regular review of permissions: Periodically audit and update user access rights to prevent accumulation of unnecessary privileges over time.
6. Separation of work and personal devices: Encourage or enforce the use of separate devices for work and personal use to minimize the risk of cross-contamination.