Microsoft has recently issued guidance on a series of cyberattacks using "device code phishing" techniques.
What is device code phishing?
Device code phishing exploits "device code flow," a form of authentication formalised in the industry-wide OAuth standard.
These attacks trick users into logging into cloud-based applications by generating a legitimate device code request, while malicious actors capture the login tokens. This allows attackers to access the target's accounts and data and subsequently move laterally within the environment to access other services, such as cloud storage or email, without needing a password. The threat actor retains access as long as the tokens remain valid.
How is this different from normal phishing attacks?
Traditional phishing relies on capturing usernames and passwords, which can then be reused by the attacker. This can be mitigated by enforcing multi-factor authentication (MFA) and conditional access policies.
In contrast, device code phishing uses a captured post-authentication token, eliminating the need for the attacker to satisfy conditional access requirements or provide MFA to access the victim's account.
Who is using these techniques?
While vendors have identified device code flow exploitation as a potential vulnerability for several years, Microsoft's latest report confirms that this is now being actively exploited in the wild, highlighting the need for businesses to take it seriously and review mitigation measures.
Microsoft has attributed this recent campaign to Storm-2372, a suspected nation-state actor working towards Russian state interests.
Storm-2372 has notably used device code phishing to compromise targets of interest, including government, IT services and technology, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
Evidence suggests Storm-2372 have been exploiting this since August 2024.
What can I do to protect against this?
While this phishing technique attempts to evade traditional MFA protections, Microsoft recommends several best practices:
- Educate users: Inform users about common phishing techniques. The effectiveness of the attacks is, in large part, the result of the ambiguity in the user interface of the device code authorisation process. Sign-in prompts should clearly identify the application being authenticated to.
- Implement a sign-in risk policy: Consider automating responses to risky sign-ins. A sign-in risk represents the probability that a given authentication request isn't authorised by the identity owner.
- Use phishing-resistant authentication: Leverage methods such as Microsoft Authenticator with passkey, or FIDO2 ("Fast IDentity Online 2") hardware tokens.
- Practice the principle of least privilege: Audit privileged account activity in your Entra ID environments to slow and stop attackers.
If you suspect device code phishing, revoke the user's refresh tokens and consider setting a conditional access policy to force re-authentication for users.