New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known as “device code phishing” to capture authentication tokens.

This attack, attributed to a group called Storm-2372, has been active since August 2024 and targets a wide range of industries and governments globally.

The campaign uses a phishing technique that tricks users into logging into productivity apps, allowing the attackers to capture authentication tokens that can be used to access compromised accounts.

Device code authentication is a method used to authenticate accounts from devices that cannot perform interactive web-based authentication.

Security experts at Microsoft noted that it involves entering a numeric or alphanumeric code on a separate device to sign in. In device code phishing, attackers generate a legitimate device code request and deceive targets into entering it on a legitimate sign-in page.

This grants the attackers access to authentication and refresh tokens, which they can use to access the target’s accounts and data without needing a password.

Storm-2372’s Tactics

Storm-2372’s campaign involves creating lures that resemble messaging app experiences, such as WhatsApp, Signal, and Microsoft Teams.

The attackers pose as prominent individuals to build rapport with targets before sending phishing emails that appear to be meeting invitations.

These invitations prompt users to authenticate using a device code, which the attackers use to capture valid access tokens.

After obtaining access tokens, Storm-2372 uses them to move laterally within compromised networks and harvest emails using Microsoft Graph.

The attackers search for keywords like “username,” “password,” and “credentials” in compromised accounts.

Example Hunting Query for Microsoft Defender XDR:-

let suspiciousUserClicks = materialize(UrlClickEvents
    where ActionType in ("ClickAllowed", "UrlScanInProgress", "…")
    where UrlChain has_any ("microsoft.com/devicelogin", "login…")
    extend AccountUpn = tolower(AccountUpn)
    project ClickTime = Timestamp, ActionType, UrlChain, Network…

To defend against device code phishing attacks, organizations should restrict the use of device code flows, educate users on phishing tactics, and enforce strong authentication measures such as MFA and phishing-resistant methods like FIDO Tokens.

Implementing Conditional Access policies to monitor risky sign-ins and centralizing identity management can further enhance security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free