D

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Storm-2372’s targets include governments, NGOs, IT services and technology, defense, telecoms, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft. Our ongoing investigation indicates that this campaign has been active since August 2024, with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. Read our research on the active threat represented by Storm-2372 and other threat actors exploiting device code phishing techniques, and get detection and mitigation guidance: https://t.co/D0FHTJVuGF