Microsoft is calling interest to an emerging menace cluster known as Storm-2372, which has been linked to a recent wave of cyberattacks aimed at a variety of industries since August 2024.
The attacks have targeted government, non-governmental organizations ( NGOs ), information technology ( IT ) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
The risk professional, assessed with moderate confidence to be aligned with Russian interests, victimology, and tradecraft, has been observed targeting users via messaging apps like WhatsApp, Signal, and Microsoft Teams by falsely claiming to be a notable person related to the target in an attempt to build trust.
According to a new report from Microsoft Threat Intelligence,” The attacks use a specific phishing technique called “device phishing” that teaches users to log into productivity apps while Storm-2372 actors capture the information from the log in ( tokens ) that they can use to then access compromised accounts.”
The technique’s use of verification codes to gain access to specific accounts and abuse that access to obtain sensitive data and grant prolonged exposure to the victim environment as long as the tokens remain valid is the goal.
The tech giant claimed the attack involved sending phishing emails that appear to be Microsoft Teams meeting invitations that, when clicked, ask message recipients to authenticate using a threat actor-generated device code, allowing the adversary to use the appropriate access sign to hijack the authenticated session.
The risk actor” tricks the goal into entering it into a genuine sign-in page” during the attack, according to Microsoft. ” This grants the actor access and enables them to get the authentication—access and refresh—tokens that are generated, then use those tokens to get the enemy’s accounts and data”.
Without the need for a password, the phished authentication tokens can then be used to gain access to other services where the user already has permissions, such as email or cloud storage.
Microsoft claimed that the legitimate session is used to move laterally within the network by sending similar intra-organizational phishing messages to other users from the compromised account. Furthermore, the Microsoft Graph service is used to search through messages of the breached account.
” The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov”, Redmond said, adding the emails matching these filter criteria were then exfiltrated to the threat actor.
To mitigate the risk posed by such attacks, organizations are recommended to wherever possible, enable phishing-resistant multi-factor authentication ( MFA ), and follow the principle of least privilege.