A hacking outfit potentially linked to Russia is running an active operation that uses device code phishing to target Microsoft 365 accounts of individuals at organisations of interest. The targets are in the government, non-governmental organisations (NGOs), IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
Microsoft Threat Intelligence Centre is tracking the threat actors behind the device code phishing effort as ‘Storm-237’. Based on targets, victimology, and tradecraft, the researchers are confident that the activity is linked to a nation-state operation that serves Russia’s interests.
Device code phishing assaults
Input-constrained devices, such as smart TVs and some IoTs, use a code authentication flow to allow users to sign into an app by typing an authorization code on a different device, such as a smartphone or computer.