Critical Analysis of the Storm-2372 Device Code Phishing Campaign Targeting Microsoft Authentication Systems

Storm-2372 Device Code Phishing Campaign: A Critical Analysis

Executive Summary

Storm-2372, a threat actor with suspected ties to Russian state interests, has been launching a highly targeted and effective device code phishing campaign since August 2024. This operation aims at government entities, non-governmental organizations, IT services and technology firms, defense, telecommunications, health, higher education, and the energy sector across Europe, North America, Africa, and the Middle East. By exploiting the device code authentication flow, Storm-2372 captures authentication tokens, gaining unauthorized access to victim accounts and enabling further systemic infiltration. This report delves into the tactics and techniques employed, the sectors affected, and recommends strategic measures to mitigate such threats.

Technical Information

The Storm-2372 campaign represents a sophisticated use of device code phishing, which deviates from traditional phishing paradigms by not relying on malicious links or attachments. Instead, the attackers generate legitimate device code requests, manipulating victims into entering these codes on authentic sign-in portals. Once the codes are entered, Storm-2372 intercepts the resulting authentication tokens, securing unauthorized access to the victim's accounts and resources.

A noteworthy aspect of this campaign is the use of specific client IDs for the Microsoft Authentication Broker, which facilitates the acquisition of refresh tokens. This technique allows Storm-2372 to maintain persistent access to victim resources, a critical capability for long-term exploitation. The phishing lures used by Storm-2372 often mimic invitations from widely-used communication platforms such as Microsoft Teams, Signal, and WhatsApp. These lures are cleverly crafted to trick users into completing a device code authentication process, thereby handing over control to the attackers.

Once access is established, Storm-2372 exploits Microsoft Graph API for data exfiltration, including email harvesting. The group has been observed employing keyword searches within compromised accounts to extract sensitive information such as usernames, passwords, and other credentials. The attackers have also been noted to use proxies that are regionally relevant to the targets, likely as a means to further obfuscate their activities.

Recently, within the last 24 hours, there has been a shift in tactics with Storm-2372 utilizing the specific client ID for Microsoft Authentication Broker in the device code sign-in flow. This shift allows the actors to receive a refresh token, which can be used for requesting an additional token for the device registration service, thereby registering an actor-controlled device within Entra ID. This modification enhances their ability to operate stealthily within victim environments, leveraging the Primary Refresh Token (PRT) to access an organization’s resources.

Mitigation Strategies

Organizations can employ a range of strategies to defend against the tactics deployed by Storm-2372. Limiting the use of device code flow and configuring Conditional Access policies can help manage and control access. User education remains paramount; regular training to recognize and respond to phishing attempts is essential in safeguarding against these attacks. Implementing strong multi-factor authentication (MFA) practices, including phishing-resistant methods like FIDO Tokens, is also crucial. Centralizing identity management into a single platform and integrating on-premises and cloud directories can enhance monitoring capabilities, allowing for quicker detection and response to suspicious activities. Monitoring sign-in activity and promptly revoking tokens when anomalies are detected can significantly reduce the risk of prolonged unauthorized access.

References

For further details and insights into the Storm-2372 campaign, consult the following resources:

• Microsoft Security Blog: Storm-2372 conducts device code phishing campaign: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
• Cybersecurity Dive: Phishing campaign targets Microsoft device-code authentication flows: https://www.cybersecuritydive.com/news/phishing-campaign-targets-microsoft-device-code-authentication-flows/740201/
• Engage with the Microsoft Threat Intelligence community on LinkedIn: https://www.linkedin.com/showcase/microsoft-threat-intelligence
• Follow updates on X (formerly Twitter): https://x.com/MsftSecIntel

Nox90 is here for you

At Nox90, we are committed to assisting our clients in navigating the complex landscape of application security and Secure Software Development Life Cycle (SSDLC). Our solutions are designed to enhance security protocols, protect sensitive data, and ensure compliance with industry standards. We are dedicated to providing tailored support and guidance to our customers, helping them fortify their defenses against emerging threats like Storm-2372. For any inquiries or further discussion about this report or how we can support your security needs, please reach out to us at info@nox90.com.

This comprehensive analysis of the Storm-2372 device code phishing campaign provides valuable insights into the evolving threat landscape. Stay informed and protected by understanding these sophisticated attack strategies and implementing the recommended security measures.