A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known as \u201cdevice code phishing\u201d to capture authentication tokens.<\/p>\n
This attack, attributed to a group called Storm-2372, has been active since August 2024 and targets a wide range of industries and governments globally.<\/p>\n
The campaign uses a phishing technique<\/a> that tricks users into logging into productivity apps, allowing the attackers to capture authentication tokens that can be used to access compromised accounts.<\/p>\n Device code authentication is a method used to authenticate accounts from devices that cannot perform interactive web-based authentication.<\/p>\n Security experts at Microsoft noted<\/a> that it involves entering a numeric or alphanumeric code on a separate device to sign in. In device code phishing, attackers generate a legitimate device code request and deceive targets into entering it on a legitimate sign-in page.<\/p>\n This grants the attackers access to authentication and refresh tokens, which they can use to access the target\u2019s accounts and data without needing a password.<\/p>\n Storm-2372\u2019s campaign involves creating lures that resemble messaging app experiences, such as WhatsApp, Signal, and Microsoft Teams<\/a>.<\/p>\n The attackers pose as prominent individuals to build rapport with targets before sending phishing emails that appear to be meeting invitations.<\/p>\n These invitations prompt users to authenticate using a device code, which the attackers use to capture valid access tokens.<\/p>\n After obtaining access tokens, Storm-2372 uses them to move laterally within compromised networks and harvest emails using Microsoft Graph.<\/p>\n The attackers search for keywords like \u201cusername,\u201d \u201cpassword,\u201d and \u201ccredentials\u201d in compromised accounts.<\/p>\n Example Hunting Query for Microsoft Defender XDR:-<\/p>\n To defend against device code phishing attacks, organizations should restrict the use of device code flows, educate users on phishing tactics, and enforce strong authentication measures<\/a> such as MFA and phishing-resistant methods like FIDO Tokens.<\/p>\n Implementing Conditional Access policies to monitor risky sign-ins and centralizing identity management can further enhance security.<\/p>\n The post New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgmElQ3cxyDOxHxsSt8tQ49jZSd53-vbIGkULg_pWeSqDe-Er3y1GSjArzY4A8vZIqFS9EkVHIqRlZvq3sWOYTv5_TrrvualX8JQ9zdZ5Xg3Sc_jmAVHEUy0OWLHJJLMPCuzaZt1RBaMZiyMh4AI5B0nYABmfmFW3d-QPTI7x_wX-N1__wOSqqy6152WlY\/s16000\/Device%2520code%2520phishing%2520attack%2520cycle%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
Storm-2372\u2019s Tactics<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj7nrrbn-oZ2cSIEvyJ8BXhxovYiiZa8mHtoP4Jrm5mTUpCO0UakoFiBN-qnTQ7QBfEB5MFAqDbX6HCxLdfYAaeFnuXQm5jQP5Ru0Bn_bBPSPjuTpbDJ63Nw_SzBtTnUN3bbTyUM_oZwbrL0djsqMdYIC3L9LW6pTv1esVwaVU0MSOeJnms3gkK-fpmnrw\/s16000\/Sample%2520Messages%2520from%2520the%2520Threat%2520Actor%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh86cpZP4h5BmTunHGpRHkhnEaS1UNKaBYchn6vyEBux3mO72eNcZprKlver75HonSmqZ9e0V2UAlZb2JkkXgZpUp_J81383io6K9k53rFiCdQZJaPedOycy1aL9NrlIvO1hWytS_Kie1DunWeFEekP8MR0cE4-0xzZ0IaLhwLMk21cfLoju3CPCUu0k_U\/s16000\/Example%2520of%2520Lure%2520Used%2520in%2520Phishing%2520Campaign%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
let suspiciousUserClicks = materialize(UrlClickEvents\n where ActionType in (\"ClickAllowed\", \"UrlScanInProgress\", \"\u2026\")\n where UrlChain has_any (\"microsoft.com\/devicelogin\", \"login\u2026\")\n extend AccountUpn = tolower(AccountUpn)\n project ClickTime = Timestamp, ActionType, UrlChain, Network\u2026<\/code><\/pre>\nInvestigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n