Russian State Hackers Exploit Device Code Phishing in Global Cyber Espionage Campaign

A dangerous wave of cyberattacks linked to Russian state-sponsored hackers is sweeping across key industries, compromising government agencies, defense contractors, telecom firms, and other high-value organizations. Microsoft has identified a sophisticated threat actor, tracked as Storm-2372, leveraging device code phishing to infiltrate accounts and exfiltrate sensitive data.

This campaign, active since at least August 2024, has impacted organizations across North America, Europe, the Middle East, and Africa. With the ability to bypass traditional authentication mechanisms, this attack method poses a significant risk to critical infrastructure and national security.

How Device Code Phishing Works

Device code authentication is a legitimate process used to log into accounts from devices that lack interactive sign-in capabilities, such as smart TVs or IoT devices. Attackers exploit this feature by tricking victims into entering a generated device code on a legitimate login page. Once the target submits the code, the hacker retrieves an access token, granting them unauthorized entry into the victim’s email, cloud storage, and other sensitive systems.

Unlike traditional phishing, device code phishing does not require passwords—instead, it abuses authentication flows to gain persistent access as long as the session tokens remain valid. This allows attackers to move laterally within a compromised network, escalating their privileges and spreading further within an organization.

The Tactics of Storm-2372

Microsoft’s investigation reveals that Storm-2372 has been using highly targeted phishing emails, often disguised as Microsoft Teams meeting invitations, to lure victims into granting access. The group employs social engineering tactics via WhatsApp, Signal, and Microsoft Teams, impersonating influential individuals relevant to their targets. Once rapport is established, the attackers send malicious meeting invitations containing fraudulent authentication requests.

Upon successfully compromising an account, Storm-2372 abuses Microsoft Graph API to scan inboxes for sensitive keywords such as "username," "password," "admin," "credentials," "gov," and "secret." They also exfiltrate emails and use compromised accounts to launch further internal phishing attacks within the organization.

Since February 13, 2025, the hackers have evolved their tactics, using Microsoft Authentication Broker’s client ID to obtain refresh tokens. These tokens allow them to register their own devices within Entra ID, effectively planting a persistent backdoor into compromised networks. To avoid detection, Storm-2372 has also been observed using region-specific proxy servers to disguise their access.

Connections to Other Russian Hacking Groups

Cybersecurity firm Volexity reports that device code phishing has been used to target high-profile entities, including the U.S. State Department, the Ukrainian Ministry of Defense, and the European Union Parliament. In addition to Storm-2372, three other Russia-linked hacking groups—APT29 (Cozy Bear), UTA0304, and UTA0307—have been observed using similar techniques.

While these actors are tracked separately, Volexity suggests they may be part of a single coordinated campaign, orchestrated to gather intelligence from Western governments and strategic institutions.

Mitigation Strategies: Protecting Against Device Code Phishing

Organizations must adopt proactive security measures to defend against this emerging threat. Here’s how:

1. Disable Device Code Authentication (If Not Needed)

If your organization does not rely on device code authentication, disabling it can eliminate the attack vector altogether.

2. Enable Multi-Factor Authentication (MFA)

While device code phishing bypasses passwords, enabling strong MFA methods (such as hardware security keys) can help prevent unauthorized access.

3. Monitor for Unusual Authentication Requests

Security teams should look for suspicious login attempts, especially from unfamiliar locations or devices registered through Entra ID.

4. Educate Employees on Social Engineering

Since attackers use social platforms like WhatsApp and Signal to establish trust, organizations must train employees to recognize impersonation tactics and verify unexpected meeting requests.

5. Implement Conditional Access Policies

Restrict access based on device trust, geographic location, and behavioral analytics to block suspicious sign-ins before they succeed.

By Zane
February 18, 2025
Computer Security
English
February 18, 2025
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

News, Phishing

Online Design Platform Canva Abused by Hackers for Phishing

Bad actors, especially those focusing on scams and phishing emails, have been shifting their focus on exploiting cloud services and online tools for their campaigns. After a rise in phishing emails using content... Read more

September 8, 2020
How To

'The Device Cannot Start, Code 10' Error

Depending on how exactly a device manufacturer has built and supported a PC peripheral device, you may get different error messages associated with that device. One example of an error you may see with your system's... Read more

January 29, 2021
Computer Security

Russian Groove Ransomware Gang Attempts to Rally Hackers Against the US

As though the situation on the ransomware landscape was not complicated enough, new fuel has been poured on the fire, with a disturbing statement coming from one Russian-language ransomware gang. The Groove ransomware... Read more

October 27, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.