Threat researchers spot \u2018device code\u2019 phishing attacks targeting Microsoft accounts | CyberScoop<\/title> <meta name=\"description\" content=\"Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/russia-threat-groups-device-code-phishing-microsoft-accounts\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Threat researchers spot \u2018device code\u2019 phishing attacks targeting Microsoft accounts\"> <meta property=\"og:description\" content=\"Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/russia-threat-groups-device-code-phishing-microsoft-accounts\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-14T21:32:33+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-14T21:32:36+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1739294329g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1739308213g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=5e4722b3d0055288d011\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83517\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83517\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussia-threat-groups-device-code-phishing-microsoft-accounts%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussia-threat-groups-device-code-phishing-microsoft-accounts%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83517 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/russia-threat-groups-device-code-phishing-microsoft-accounts\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.549800796813\">\n<div class=\"single-article__header-content\" readability=\"34.582056892779\">\n<p> Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83517\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> (Photo by John Smith\/VIEWpress\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"50.84874818953\"><body readability=\"102.64873489856\"><\/p>\n<p>Microsoft threat researchers discovered a series of what they are calling \u201cdevice code\u201d phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/13\/storm-2372-conducts-device-code-phishing-campaign\/\">research<\/a> released Thursday.<\/p>\n<p>The group, which Microsoft tracks as Storm-2372, has targeted governments, IT services and organizations operating in the telecom, health, higher education and energy sectors across Europe, North America, Africa and the Middle East.<\/p>\n<p>Microsoft observed attackers generating a legitimate device code sign-in request and then duping targeted users to input the code into a login page for productivity apps. By exploiting the device code authentication flow, Storm-2372 has gained access to targeted systems, captured authentication tokens and used those valid tokens to achieve lateral movement and steal data.<\/p>\n<p>\u201cThey\u2019ve been successful in these attacks, though Microsoft itself is not affected,\u201d Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a <a href=\"https:\/\/www.linkedin.com\/posts\/sherroddegrippo_link-to-our-microsoft-threat-intelligence-activity-7295995856317472768-FUDT?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAC2xvMBLPggh7Z3PC8i4V4yQ0JB56a2MlM\">video summarizing the report\u2019s findings<\/a>.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Microsoft declined to answer questions about the threat intelligence and did not say how many accounts or organizations have been impacted by the campaign, which started in August 2024.<\/p>\n<p>Storm-2372 likely set phishing lures by targeting potential victims via messaging apps, such as Microsoft Teams, WhatsApp and Signal. Microsoft observed attackers posing as a person of importance to develop false rapport with targets before sending follow-up phishing emails disguised as Microsoft Teams meeting invitations.<\/p>\n<p>The fake Teams meeting invitations have tricked targets to complete a device code authentication request with the code Storm-2372 included as the phony meeting ID. According to Microsoft, this attack chain has allowed Storm-2372 to gain initial access to victim accounts, enabling attackers to use the valid session for lateral movement within the compromised network.<\/p>\n<p>Researchers observed attackers sending intra-organizational phishing emails with device code authentication requests from the compromised account to other users, furthering the scope of access across the network. <\/p>\n<p>The suspected Russian nation-state threat group also used Microsoft Graph to scrape emails and search for messages containing keywords, including username, password, admin, teamviewer, anydesk, credentials, secret, ministry and gov. \u201cMicrosoft then observed email exfiltration via Microsoft Graph of the emails found from these searches,\u201d the report said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Microsoft said Storm-2372\u2019s techniques could enable persistent access as long as the tokens remain valid. <\/p>\n<p>The Storm taxonomy is a temporary designation Microsoft attributes to unknown or emerging clusters of threat activity. Microsoft Threat Intelligence Center has a medium-level of confidence that Storm-2372 aligns with Russia\u2019s interests.<\/p>\n<p>Storm-2372\u2019s activities overlap with other threat groups using similar techniques but appear to be distinct from those groups. In late January, Volexity researchers spotted a trio of Russian nation-state threat groups using device code phishing attacks to gain access to highly targeted Microsoft 365 accounts. <\/p>\n<p>Volexity observed unique post-exploitation activities across these attacks, but all of the compromises were linked to device code authentication phishing lures, the threat intelligence company said in <a href=\"https:\/\/www.volexity.com\/blog\/2025\/02\/13\/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication\/\">research<\/a> released Thursday.<\/p>\n<p>Volexity attributes with medium confidence one of the Russia-based threat group\u2019s activities to Midnight Blizzard, a group it tracks as CozyLarch. Researchers acknowledge the activity could all be attributed to the same threat group, but due to variances in operations they are tracking the other clusters of activity as UTA0304 and UTA0307.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In one highly targeted attack on a Volexity customer, an attacker claiming to be a high-ranking official from the Ministry of Defense of Ukraine contacted the victim on Signal and then sent an email designed to look like an invite for a chat on the messaging app Element.<\/p>\n<p>Volexity researchers determined the attacker then duped the victim into clicking a link in an email feigned to be an invite for a secure chat room, but instead it prompted the victim to generate a device code that provided the attacker access to the victim\u2019s account.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9943820224719\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/russia-threat-groups-device-code-phishing-microsoft-accounts\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat researchers spot \u2018device code\u2019 phishing attacks targeting Microsoft accounts<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,625,60,256,270,49,288,3713],"tags":[86,630,67,262,276,57,294,3714],"class_list":["post-7339","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-microsoft","category-phishing","category-research","category-russia","category-threat-intelligence","category-threats","category-volexity","tag-cybersecurity","tag-microsoft","tag-phishing","tag-research","tag-russia","tag-threat-intelligence","tag-threats","tag-volexity"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-intelligence\/\" rel=\"category tag\">Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/volexity\/\" rel=\"category tag\">Volexity<\/a>","tag_info":"Volexity","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7339"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7339\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7339,"date":"2025-02-14T15:32:33","date_gmt":"2025-02-14T21:32:33","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83517"},"modified":"2025-02-14T15:32:33","modified_gmt":"2025-02-14T21:32:33","slug":"threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/14\/threat-researchers-spot-device-code-phishing-attacks-targeting-microsoft-accounts\/","title":{"rendered":"Threat researchers spot \u2018device code\u2019 phishing attacks targeting Microsoft accounts"},"content":{"rendered":"