A sophisticated phishing campaign, attributed to a Russian-linked threat actor known as Storm-237, is actively targeting Microsoft 365 accounts across multiple sectors globally. The campaign primarily affects organizations in government, NGOs, IT services, defense, telecommunications, health, and energy sectors throughout Europe, North America, Africa, and the Middle East.

Attack Methodology
The attackers exploit device code authentication, a legitimate feature designed for input-constrained devices. Storm-237 initiates contact by impersonating prominent figures via messaging platforms like WhatsApp, Signal, and Microsoft Teams. After establishing rapport, they send fake meeting invitations containing attacker-generated device codes, tricking users into authenticating on legitimate Microsoft sign-in pages.

Technical Impact
– Enables unauthorized access to victim’s Microsoft services
– Allows email harvesting through Graph API
– Permits generation of new tokens using Microsoft Authentication Broker
– Facilitates device registration to Entra ID
– Enables persistent access through Primary Refresh Tokens (PRT)

Security Recommendations
1. Block device code authentication flow where possible
2. Implement strict Conditional Access policies
3. Immediately revoke refresh tokens if compromise is suspected
4. Force re-authentication for affected users
5. Monitor Entra ID sign-in logs for:
– High-volume authentication attempts
– Suspicious device code logins
– Unusual authentication patterns

Organizations are advised to implement these security measures promptly to protect against this ongoing threat.