Microsoft’s Threat Intelligence team has identified a sophisticated phishing campaign orchestrated by the threat actor group Storm-2372, targeting enterprise Microsoft 365 accounts through an innovative device authorization code exploitation technique. This advanced persistent threat represents a significant evolution in social engineering tactics, bypassing traditional multi-factor authentication safeguards.
Advanced Attack Methodology Targets Critical Infrastructure
The campaign primarily focuses on high-value targets across critical infrastructure sectors, including government agencies, defense contractors, and energy companies throughout Europe, North America, Africa, and the Middle East. The attackers leverage device authorization codes – a legitimate authentication mechanism designed for devices without conventional input methods – to compromise corporate Microsoft 365 environments.
Social Engineering Tactics and Attack Vector
The threat actors initiate contact through popular messaging platforms such as WhatsApp, Signal, and Microsoft Teams, impersonating legitimate business contacts. Victims receive fraudulent meeting invitations containing specially crafted device authorization codes, which, when activated, grant attackers access to authentication tokens without requiring password credentials.
Technical Analysis of the Compromise
Upon victim interaction with the malicious authorization code, attackers gain access to both access and refresh tokens, enabling persistent access to Microsoft 365 services. The exploitation of Microsoft Authentication Broker identifiers allows attackers to generate new tokens and establish long-term persistence within Entra ID environments, making detection and remediation particularly challenging.
Security Recommendations and Mitigation Strategies
To protect against this emerging threat, organizations should implement the following security measures:
– Disable device authorization codes where not explicitly required
– Deploy strict Conditional Access policies in Microsoft Entra ID
– Enforce robust multi-factor authentication protocols
– Implement zero-trust network access controls
– Monitor for suspicious authentication patterns and token usage
Security researchers at Volexity have attributed this campaign to APT29 (Cozy Bear/Midnight Blizzard), highlighting the sophisticated nature of the threat. While the 15-minute validity window of device authorization codes requires precise attack timing, the potential impact on compromised organizations remains severe. Security teams must enhance their detection capabilities and conduct comprehensive security awareness training to combat this evolving threat landscape.
