Russian Hackers Exploit “Device Code Phishing” in Attacks to Infiltrate Accounts

by Justin Erickson

Microsoft warns that “Storm-2372” – a Russia-linked threat actor – is actively exploiting device code phishing to “…capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors.” Says Microsoft. This phishing technique is being used to infiltrate several different organizations, including government agencies, IT service providers, non-governmental organizations, and more. It has also been identified that 3 other Russia-linked threat actors – Midnight Blizzard, UTA0304, and UTA0307 – have been found using this technique as well. Microsoft urges organizations to limit device code flow, educate users on phishing, monitor for suspicious logins, and enforce strong authentication and credential security. A full list and descriptions can be found in their article linked below, under the “Mitigation and protection guidance” section.