Storm-2372: Russian State Actor’s Global Device Code Phishing Campaign
Microsoft has recently uncovered an active and sophisticated phishing campaign conducted by Storm-2372, a threat actor assessed with medium confidence to be aligned with Russian state interests. The campaign, which began in August 2024, represents a significant evolution in phishing tactics, specifically exploiting device code authentication flows to compromise organizations worldwide.
Who Has Been Targeted?
The campaign has targeted a broad range of sectors across multiple regions:
Sectors:
Energy and oil/gas companies
Healthcare organizations
Information Technology services and technology companies
Higher education institutions
Government agencies
Non-governmental organizations (NGOs)
Defense contractors
Telecommunications providers
Regions:
Europe
North America
Africa
Middle East
The Exploit: Device Code Phishing
The attack leverages a novel technique called “device code phishing” that exploits legitimate authentication flows. Here’s how it works:
Initial Contact: The attackers first approach targets through messaging services like WhatsApp, Signal, or Microsoft Teams, posing as prominent figures relevant to the target organization.
Trust Building: They develop rapport through initial conversations before sending meeting invitations via email. (Source: Microsoft Security)
Authentication Exploitation: When targets click the meeting invitation, they’re prompted to enter a device code on a legitimate Microsoft sign-in page. This code, generated by the attackers, allows them to capture the victim’s authentication tokens. (Source: Microsoft Security)
Post-Compromise Activities: Once authenticated, the attackers:
Access the victim’s email and cloud storage
Move laterally within the organization
Use Microsoft Graph to search for sensitive information using keywords like “password,” “admin,” “credentials,” etc.
Exfiltrate discovered sensitive data
Recent Technique Evolution
As of February 14, 2025, Microsoft observed Storm-2372 adapting their tactics to use the Microsoft Authentication Broker’s client ID. This allows them to:
Obtain refresh tokens
Register actor-controlled devices within Entra ID
Acquire Primary Refresh Tokens (PRT)
Use regional proxies to mask suspicious activity
Security Measures
While immediate actions are crucial for addressing active threats, organizations must also implement comprehensive, long-term security measures to build lasting resilience against sophisticated attacks like those conducted by Storm-2372. These measures require strategic planning, consistent execution, and regular updates to remain effective against evolving threats. The following key areas should be prioritized in your organization’s security roadmap:
Strengthen Authentication:
Require multi-factor authentication (MFA)
Implement phishing-resistant authentication methods (FIDO Tokens, Microsoft Authenticator with passkey)
Block legacy authentication protocols
Identity Management:
Centralize identity management
Integrate on-premises directories with cloud directories
Implement proper logging and monitoring
Access Control:
Apply the principle of least privilege
Regularly audit privileged account activity
Implement Single Sign-On (SSO)
User Education:
Train users to identify phishing attempts
Emphasize the importance of verifying application authentication prompts
Create awareness about social engineering tactics
How CinchOps Can Help
As a modern security operations provider, CinchOps can strengthen your organization’s defenses against sophisticated threats like Storm-2372 through:
Continuous Monitoring: Implementation of 24/7 security monitoring to detect and respond to suspicious authentication attempts and token abuse.
Identity Security: Deployment and management of robust identity protection measures, including MFA and conditional access policies.
Incident Response: Rapid response capabilities to contain and remediate compromised accounts and systems.
Security Assessment: Regular evaluation of your organization’s security posture against evolving threats like device code phishing.
User Training: Development and delivery of security awareness programs focused on modern phishing techniques and social engineering.
The Storm-2372 campaign demonstrates the evolving sophistication of state-sponsored cyber threats. Organizations must remain vigilant and maintain robust security measures to protect against such attacks.
Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.
Partner with CinchOps to ensure your organization has the necessary defenses and expertise to combat these emerging threats.
