Microsoft has identified a new cyber threat cluster, Storm-2372, launching sophisticated attacks across multiple sectors since August 2024. The campaign, believed to have Russian connections, targets organizations in Europe, North America, Africa, and the Middle East.

Key Sectors Under Attack:
– Government and NGOs
– IT Services and Technology
– Defense and Telecommunications
– Healthcare and Higher Education
– Energy and Oil/Gas Industries

Attack Methodology:
The threat actors employ “device code phishing,” a technique that involves:
1. Initial contact through messaging apps (WhatsApp, Signal, Microsoft Teams)
2. Impersonation of prominent figures to establish trust
3. Sending fake Microsoft Teams meeting invitations
4. Capturing authentication tokens when victims enter device codes
5. Using stolen tokens to access multiple services without passwords

Post-Compromise Activities:
– Lateral movement within networks
– Message searching using specific keywords (username, password, admin, etc.)
– Data exfiltration of sensitive information
– Persistent access maintenance through valid tokens

Recommended Security Measures:
– Block device code authentication where possible
– Implement phishing-resistant MFA
– Apply least privilege principles
– Monitor for suspicious authentication attempts

The campaign demonstrates sophisticated social engineering tactics and poses a significant threat to organizational security across multiple sectors.