Storm-2372: Russian State Actor’s Global Device Code Phishing Campaign

Microsoft has recently uncovered an active and sophisticated phishing campaign conducted by Storm-2372, a threat actor assessed with medium confidence to be aligned with Russian state interests. The campaign, which began in August 2024, represents a significant evolution in phishing tactics, specifically exploiting device code authentication flows to compromise organizations worldwide.

 Who Has Been Targeted?

The campaign has targeted a broad range of sectors across multiple regions:

Sectors:

• Energy and oil/gas companies
• Healthcare organizations
• Information Technology services and technology companies
• Higher education institutions
• Government agencies
• Non-governmental organizations (NGOs)
• Defense contractors
• Telecommunications providers

Regions:

• Europe
• North America
• Africa
• Middle East

 The Exploit: Device Code Phishing

The attack leverages a novel technique called “device code phishing” that exploits legitimate authentication flows. Here’s how it works:

1. Initial Contact: The attackers first approach targets through messaging services like WhatsApp, Signal, or Microsoft Teams, posing as prominent figures relevant to the target organization.
2. Trust Building: They develop rapport through initial conversations before sending meeting invitations via email.
   
   (Source: Microsoft Security)
3. Authentication Exploitation: When targets click the meeting invitation, they’re prompted to enter a device code on a legitimate Microsoft sign-in page. This code, generated by the attackers, allows them to capture the victim’s authentication tokens.
   
   (Source: Microsoft Security)
4. Post-Compromise Activities: Once authenticated, the attackers:
   • Access the victim’s email and cloud storage
   • Move laterally within the organization
   • Use Microsoft Graph to search for sensitive information using keywords like “password,” “admin,” “credentials,” etc.
   • Exfiltrate discovered sensitive data

 Recent Technique Evolution

As of February 14, 2025, Microsoft observed Storm-2372 adapting their tactics to use the Microsoft Authentication Broker’s client ID. This allows them to:

• Obtain refresh tokens
• Register actor-controlled devices within Entra ID
• Acquire Primary Refresh Tokens (PRT)
• Use regional proxies to mask suspicious activity

Security Measures

While immediate actions are crucial for addressing active threats, organizations must also implement comprehensive, long-term security measures to build lasting resilience against sophisticated attacks like those conducted by Storm-2372. These measures require strategic planning, consistent execution, and regular updates to remain effective against evolving threats. The following key areas should be prioritized in your organization’s security roadmap:

1. Strengthen Authentication:
   • Require multi-factor authentication (MFA)
   • Implement phishing-resistant authentication methods (FIDO Tokens, Microsoft Authenticator with passkey)
   • Block legacy authentication protocols
2. Identity Management:
   • Centralize identity management
   • Integrate on-premises directories with cloud directories
   • Implement proper logging and monitoring
3. Access Control:
   • Apply the principle of least privilege
   • Regularly audit privileged account activity
   • Implement Single Sign-On (SSO)
4. User Education:
   • Train users to identify phishing attempts
   • Emphasize the importance of verifying application authentication prompts
   • Create awareness about social engineering tactics

 How CinchOps Can Help

As a modern security operations provider, CinchOps can strengthen your organization’s defenses against sophisticated threats like Storm-2372 through:

1. Continuous Monitoring: Implementation of 24/7 security monitoring to detect and respond to suspicious authentication attempts and token abuse.
2. Identity Security: Deployment and management of robust identity protection measures, including MFA and conditional access policies.
3. Incident Response: Rapid response capabilities to contain and remediate compromised accounts and systems.
4. Security Assessment: Regular evaluation of your organization’s security posture against evolving threats like device code phishing.
5. User Training: Development and delivery of security awareness programs focused on modern phishing techniques and social engineering.

The Storm-2372 campaign demonstrates the evolving sophistication of state-sponsored cyber threats. Organizations must remain vigilant and maintain robust security measures to protect against such attacks.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Partner with CinchOps to ensure your organization has the necessary defenses and expertise to combat these emerging threats.