{
	"id": "62305bda-1551-4c46-81c1-a3e20561359a",
	"created_at": "2026-04-06T00:15:34.131843Z",
	"updated_at": "2026-04-10T13:12:05.154573Z",
	"deleted_at": null,
	"sha1_hash": "0a3c05618b9a3176a1923973b71b8770cb844281",
	"title": "Storm-2372 conducts device code phishing campaign | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 503613,
	"plain_text": "Storm-2372 conducts device code phishing campaign | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-02-14 · Archived: 2026-04-05 12:54:33 UTC\r\nUPDATE (February 14, 2025): Within the past 24 hours, Microsoft has observed Storm-2372 shifting to using\r\nthe specific client ID for Microsoft Authentication Broker in the device code sign-in flow. More details below.\r\nExecutive summary:\r\nToday we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who\r\nwe assess with moderate confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been\r\nongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple\r\nregions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into\r\nproductivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to\r\nthen access compromised accounts. These tokens are part of an industry standard and, while these phishing lures\r\nused Microsoft and other apps to trick users, they do not reflect an attack unique to Microsoft nor have we found\r\nany vulnerabilities in our code base enabling this activity.\r\nMicrosoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a\r\nthreat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since\r\nAugust 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal,\r\nand Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental\r\norganizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health,\r\nhigher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft\r\nassesses with moderate confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.  \r\nIn device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens,\r\nwhich they then use to access target accounts, and further gain access to data and other services that the\r\ncompromised account has access to. This technique could enable persistent access as long as the tokens remain\r\nvalid, making this attack technique attractive to threat actors.\r\nThe phishing attack identified in this blog masquerades as Microsoft Teams meeting invitations delivered through\r\nemail. When targets click the meeting invitation, they are prompted to authenticate using a threat actor-generated\r\ndevice code. The actor then receives the valid access token from the user interaction, stealing the authenticated\r\nsession.\r\nBecause of the active threat represented by Storm-2372 and other threat actors exploiting device code phishing\r\ntechniques, we are sharing our latest research, detections, and mitigation guidance on this campaign to raise\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 1 of 9\n\nawareness of the observed tactics, techniques, and procedures (TTPs), educate organizations on how to harden\r\ntheir attack surfaces, and disrupt future operations by this threat actor. Microsoft uses Storm designations as a\r\ntemporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to\r\ntrack it as a unique set of information until we reach high confidence about the origin or identity of the threat actor\r\nbehind the activity.\r\nMicrosoft Threat Intelligence Center continues to track campaigns launched by Storm-2372, and, when able,\r\ndirectly notifies customers who have been targeted or compromised, providing them with the necessary\r\ninformation to help secure their environments. Microsoft is also tracking other groups using similar techniques,\r\nincluding those documented by Volexity in their recent publication.\r\nHow does device code phishing work?\r\nA device code authentication flow is a numeric or alphanumeric code used to authenticate an account from an\r\ninput-constrained device that does not have the ability to perform an interactive authentication using a web flow\r\nand thus must perform this authentication on another device to sign-in. In device code phishing, threat actors\r\nexploit the device code authentication flow.\r\nDuring the attack, the threat actor generates a legitimate device code request and tricks the target into entering it\r\ninto a legitimate sign-in page. This grants the actor access and enables them to capture the authentication—access\r\nand refresh—tokens that are generated, then use those tokens to access the target’s accounts and data. The actor\r\ncan also use these phished authentication tokens to gain access to other services where the user has permissions,\r\nsuch as email or cloud storage, without needing a password. The threat actor continues to have access so long as\r\nthe tokens remain valid. The attacker can then use the valid access token to move laterally within the environment.\r\nFigure 1. Device code phishing attack cycle\r\nStorm-2372 phishing lure and access\r\nStorm-2372’s device code phishing campaign has been active since August 2024. Observed early activity indicates\r\nthat Storm-2372 likely targeted potential victims using third-party messaging services including WhatsApp,\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 2 of 9\n\nSignal, and Microsoft Teams, falsely posing as a prominent person relevant to the target to develop rapport before\r\nsending subsequent invitations to online events or meetings via phishing emails.\r\nFigure 2. Sample messages from the threat actor posing as a prominent person and building rapport\r\non Signal\r\nThe invitations lure the user into completing a device code authentication request emulating the experience of the\r\nmessaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data\r\ncollection activities, such as email harvesting.\r\nFigure 3. Example of lure used in phishing campaign\r\nOn the device code authentication page, the user is tricked into entering the code that the threat actor included as\r\nthe ID for the fake Teams meeting invitation.\r\nPost-compromise activity\r\nOnce the victim uses the device code to authenticate, the threat actor receives the valid access token. The threat\r\nactor then uses this valid session to move laterally within the newly compromised network by sending additional\r\nphishing messages containing links for device code authentication to other users through intra-organizational\r\nemails originating from the victim’s account.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 3 of 9\n\nFigure 4. Legitimate device code authentication page\r\nAdditionally, Microsoft observed Storm-2372 using Microsoft Graph to search through messages of the account\r\nthey’ve compromised. The threat actor was using keyword searching to view messages containing words such as\r\nusername, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov. Microsoft then observed\r\nemail exfiltration via Microsoft Graph of the emails found from these searches.\r\nFebruary 14, 2025 update:\r\nWithin the past 24 hours, Microsoft has observed Storm-2372 shifting to using the specific client ID for Microsoft\r\nAuthentication Broker in the device code sign-in flow. Using this client ID enables Storm-2372 to receive a\r\nrefresh token that can be used to request another token for the device registration service, and then register an\r\nactor-controlled device within Entra ID. With the same refresh token and the new device identity, Storm-2372 is\r\nable to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails.\r\nThe actor has also been observed to use proxies that are regionally appropriate for the targets, likely in an attempt\r\nto further conceal the suspicious sign in activity.\r\nWhile many of the mitigations and queries listed below still apply in this scenario, alerts involving anomalous\r\ntoken or PRT activity surrounding close-in-time device registrations may also be a useful method for identifying\r\nthis shift in technique. Additionally, enrollment restrictions – limiting the user permissions that can enroll devices\r\ninto your Microsoft Entra ID environment – can also help to address this attack behavior.\r\nAttribution\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 4 of 9\n\nThe actor that Microsoft tracks as Storm-2372 is a suspected nation-state actor working toward Russian state\r\ninterests. It notably has used device code phishing to compromise targets of interest. Storm-2372 likely initially\r\napproaches targets through third-party messaging services, posing as a prominent individual relevant to the target\r\nto develop rapport before sending invites to online events or meetings. These invites lure the user into device code\r\nauthentication that grants initial access to Storm-2372 and enables Graph API data collection activities such as\r\nemail harvesting.\r\nStorm-2372 targets include government, NGOs, IT services and technology, defense, telecommunications, health,\r\nhigher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.\r\nMitigation and protection guidance\r\nTo harden networks against the Storm-2372 activity described above, defenders can implement the following:\r\nOnly allow device code flow where necessary. Microsoft recommends blocking device code flow wherever\r\npossible. Where necessary, configure Microsoft Entra ID’s device code flow in your Conditional Access\r\npolicies.\r\nEducate users about common phishing techniques. Sign-in prompts should clearly identify the application\r\nbeing authenticated to. As of 2021, Microsoft Azure interactions prompt the user to confirm (“Cancel” or\r\n“Continue”) that they are signing in to the app they expect, which is an option frequently missing from\r\nphishing sign-ins.\r\nIf suspected Storm-2372 or other device code phishing activity is identified, revoke the user’s refresh\r\ntokens by calling revokeSignInSessions. Consider setting a Conditional Access Policy to force re-authentication for users.\r\nImplement a sign-in risk policy to automate response to risky sign-ins. A sign-in risk represents the\r\nprobability that a given authentication request isn’t authorized by the identity owner. A sign-in risk-based\r\npolicy can be implemented by adding a sign-in risk condition to Conditional Access policies that evaluates\r\nthe risk level of a specific user or group. Based on the risk level (high/medium/low), a policy can be\r\nconfigured to block access or force multi-factor authentication.\r\nWhen a user is a high risk and Conditional access evaluation is enabled, the user’s access is\r\nrevoked, and they are forced to re-authenticate.\r\nFor regular activity monitoring, use Risky sign-in reports, which surface attempted and successful\r\nuser access activities where the legitimate owner might not have performed the sign-in. \r\nThe following best practices further help improve organizational defenses against phishing and other credential\r\ntheft attacks:\r\nRequire multifactor authentication (MFA). While certain attacks such as device code phishing attempt to\r\nevade MFA, implementation of MFA remains an essential pillar in identity security and is highly effective\r\nat stopping a variety of threats.\r\nLeverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft\r\nAuthenticator with passkey. Avoid telephony-based MFA methods to avoid risks associated with\r\nSIM-jacking.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 5 of 9\n\nBlock legacy authentication with Microsoft Entra by using Conditional Access. Legacy\r\nauthentication protocols do not have the ability to enforce MFA, as legacy MFA (per-user MFA\r\nprompts) is susceptible to abuse.\r\nCentralize your organization’s identity management into a single platform. If your organization is a hybrid\r\nenvironment, integrate your on-premises directories with your cloud directories. If your organization is\r\nusing a third-party for identity management, ensure this data is being logged in a SIEM or connected to\r\nMicrosoft Entra to fully monitor for malicious identity access from a centralized location. The added\r\nbenefits to centralizing all identity data is to facilitate implementation of Single Sign On (SSO) and provide\r\nusers with a more seamless authentication process, as well as configure Entra ID’s machine learning\r\nmodels to operate on all identity data, thus learning the difference between legitimate access and malicious\r\naccess quicker and easier. It is recommended to synchronize all user accounts except administrative and\r\nhigh privileged ones when doing this to maintain a boundary between the on-premises environment and the\r\ncloud environment, in case of a breach.\r\nSecure accounts with credential hygiene: practice the principle of least privilege and audit privileged\r\naccount activity in your Entra ID environments to slow and stop attackers.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 detects malicious emails, HTML files, and other threat components associated\r\nwith this attack.\r\nMicrosoft Entra ID Protection\r\nThe following Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate\r\nassociated threat activity, including unusual user activity consistent with known attack patterns identified by\r\nMicrosoft Threat Intelligence research:\r\nActivity from Anonymous IP address (RiskEventType: anonymizedIPAddress)\r\nMicrosoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)\r\nHunting queries\r\nMicrosoft Defender XDR\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 6 of 9\n\nThe following query can help identify possible device code phishing attempts:\r\nlet suspiciousUserClicks = materialize(UrlClickEvents\r\n| where ActionType in (\"ClickAllowed\", \"UrlScanInProgress\", \"UrlErrorPage\") or IsClickedThrough\r\n!= \"0\"\r\n| where UrlChain has_any (\"microsoft.com/devicelogin\",\r\n\"login.microsoftonline.com/common/oauth2/deviceauth\")\r\n| extend AccountUpn = tolower(AccountUpn)\r\n| project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn);\r\n//Check for Risky Sign-In in the short time window\r\nlet interestedUsersUpn = suspiciousUserClicks\r\n| where isnotempty(AccountUpn)\r\n| distinct AccountUpn;\r\nlet suspiciousSignIns = materialize(AADSignInEventsBeta\r\n| where ErrorCode == 0\r\n| where AccountUpn in~ (interestedUsersUpn)\r\n| where RiskLevelDuringSignIn in (10, 50, 100)\r\n| extend AccountUpn = tolower(AccountUpn)\r\n| join kind=inner suspiciousUserClicks on AccountUpn\r\n| where (Timestamp - ClickTime) between (-2min .. 7min)\r\n| project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignIn, SessionId,\r\nIPAddress, Url\r\n);\r\n//Validate errorCode 50199 followed by success in 5 minute time interval for the interested user,\r\nwhich suggests a pause to input the code from the phishing email\r\nlet interestedSessionUsers = suspiciousSignIns\r\n| where isnotempty(AccountUpn)\r\n| distinct AccountUpn;\r\nlet shortIntervalSignInAttemptUsers = materialize(AADSignInEventsBeta\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 7 of 9\n\n| where AccountUpn in~ (interestedSessionUsers)\r\n| where ErrorCode in (0, 50199)\r\n| summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId\r\n| where ErrorCodes has_all (0, 50199)\r\n| distinct AccountUpn);\r\nsuspiciousSignIns\r\n| where AccountUpn in (shortIntervalSignInAttemptUsers)\r\nThis following query from public research surfaces newly registered devices, and can be a useful in conjunction\r\nwith anomalous or suspicious user or token activity:\r\nCloudAppEvents\r\n| where AccountDisplayName == \"Device Registration Service\"\r\n| extend ApplicationId_ = tostring(ActivityObjects[0].ApplicationId)\r\n| extend ServiceName_ = tostring(ActivityObjects[0].Name)\r\n| extend DeviceName = tostring(parse_json(tostring(RawEventData.ModifiedProperties))[1].NewValue)\r\n| extend DeviceId =\r\ntostring(parse_json(tostring(parse_json(tostring(RawEventData.ModifiedProperties))[6].NewValue))[0])\r\n| extend DeviceObjectId_ = tostring(parse_json(tostring(RawEventData.ModifiedProperties))\r\n[0].NewValue)\r\n| extend UserPrincipalName = tostring(RawEventData.ObjectId)\r\n| project TimeGenerated, ServiceName_, DeviceName, DeviceId, DeviceObjectId_, UserPrincipalName\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the following queries to detect phishing attempts and email exfiltration\r\nattempts via Graph API. While these queries are not specific to threat actors, they can help you stay vigilant and\r\nsafeguard your organization from phishing attacks:\r\nCampaign with suspicious keywords\r\nDetermine Successfully Delivered Phishing Emails to Inbox/Junk folder.\r\nSuccessful Signin from Phishing Link\r\nPhishing link click observed in Network Traffic\r\nSuspicious URL clicked Anomaly of MailItemAccess by GraphAPI\r\nOAuth Apps accessing user mail via GraphAPI\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 8 of 9\n\nOAuth Apps reading mail both via GraphAPI and directly\r\nOAuth Apps reading mail via GraphAPI anomaly\r\nReferences\r\nhttps://www.blackhillsinfosec.com/dynamic-device-code-phishing/\r\nhttps://www.huntress.com/blog/oh-auth-2-0-device-code-phishing-in-google-cloud-and-azure\r\nhttps://github.com/secureworks/family-of-client-ids-research?tab=readme-ov-file#which-client-applications-are-compatible-with-each-other\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://x.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/"
	],
	"report_names": [
		"storm-2372-conducts-device-code-phishing-campaign"
	],
	"threat_actors": [
		{
			"id": "eb659063-c5d1-4fff-8b5d-757313579506",
			"created_at": "2025-03-07T02:00:03.807343Z",
			"updated_at": "2026-04-10T02:00:03.83499Z",
			"deleted_at": null,
			"main_name": "Storm-2372",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-2372",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434534,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a3c05618b9a3176a1923973b71b8770cb844281.pdf",
		"text": "https://archive.orkl.eu/0a3c05618b9a3176a1923973b71b8770cb844281.txt",
		"img": "https://archive.orkl.eu/0a3c05618b9a3176a1923973b71b8770cb844281.jpg"
	}
}