Unscrupulous Efforts Exploit Microsoft's Device-Code Authentication Processes
In recent weeks, a device code phishing campaign has been targeting organisations across various sectors, including government entities, IT, defence, telecommunications, health, higher education, and energy, in Europe, North America, Africa, and the Middle East. The campaign, linked to the Russia-based threat group Storm-2372, has been active since at least August 2024.
Storm-2372 has been using a specific phishing technique that manipulates device-code authentication flows. Device codes are used to authenticate accounts on devices that cannot complete the interactive authentication web flow. In device-code phishing attacks, threat actors prompt the application or service to generate a device code and trick users into entering it into a legitimate sign-in portal.
Once users enter the device code, the attackers gain access to the targeted accounts and data. They can also use these phished authentication tokens to access other services without needing a password. To make matters worse, Storm-2372 can obtain a Primary Refresh Token (PRT) using the same refresh token and new device identity.
Microsoft Threat Intelligence has warned of this campaign, and Volexity, a cybersecurity firm, has detailed the dangers of device code phishing attacks in a blog post. According to Volexity, the device code phishing method has been more effective than years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors.
To protect your Microsoft 365 tenant from device code phishing attacks, it's essential to implement robust security measures. Here are some steps you can take:
## Implementing Conditional Access Policies
1. **Block Sign-ins from Unmanaged Devices**: Creating a Conditional Access policy that blocks sign-ins from unmanaged devices can significantly reduce the risk of unauthorised access.
2. **Restrict Device Code Flow**: Use Conditional Access to restrict the device code flow for external apps. Enforcing admin approval for app-based sign-ins can help prevent malicious actors from exploiting open enrollment paths in device code phishing attacks.
3. **Enforce Phishing-Resistant MFA**: Ensure that all highly privileged roles require phishing-resistant MFA. This ensures that even if an attacker manages to obtain a user's password, they cannot access the system without the second factor.
4. **Limit Device Enrollment**: Utilise Microsoft Entra's device limit restriction to reduce the attack surface by limiting the number of devices that can enroll in your organisation.
## Additional Measures for Enhanced Security
- **Educate Users**: Educate users about the risks of device code phishing and the importance of vigilance when receiving requests to enter device codes. - **Monitor and Report**: Regularly monitor for suspicious activity and report any incidents promptly. Use tools like Microsoft Defender for Cloud Apps to track unusual app consent grants.
By implementing these strategies, you can effectively enhance your Microsoft 365 tenant's security against device code phishing attacks.
Microsoft has not responded to a request for comment at press time. It's crucial for organisations to stay vigilant and take proactive measures to protect their data from these types of threats.
[1] Microsoft Documentation: Conditional Access - https://docs.microsoft.com/en-us/microsoft-365/security/conditional-access/overview?view=o365-worldwide [2] Microsoft Documentation: Phishing-resistant Multi-Factor Authentication - https://docs.microsoft.com/en-us/microsoft-365/security/defender/multi-factor-authentication-mfa-policy-configure?view=o365-worldwide [3] Microsoft Documentation: Microsoft Entra - https://docs.microsoft.com/en-us/microsoft-365/enterprise/entra-overview?view=o365-worldwide
- The recent device code phishing campaign, linked to the Russia-based threat group Storm-2372, poses a significant threat to cybersecurity, particularly in the areas of privacy and technology.
- Cybersecurity firms such as Microsoft Threat Intelligence and Volexity have warned about the dangers of this campaign, stating that the device code phishing method is more effective than years of other social-engineering and spear-phishing attacks.
- To protect against device code phishing attacks, it's essential to implement robust security measures, including conditional access policies, restricting device code flow, enforcing phishing-resistant MFA, and limiting device enrollment, as well as educating users about the risks and monitoring for suspicious activity.
