Microsoft has reported uncovering a cyberattack campaign by Storm-2372, a group linked to Russian interests, using a technique called device code phishing to bypass multi-factor authentication (MFA) and steal access tokens.

Active since August 2024, the group targets governments, NGOs, and industries including defence, telecoms, energy, and healthcare across Europe, North America, Africa, and the Middle East. In device code phishing, attackers trick users into entering a legitimate authentication code, sent via fake meeting invites on platforms like Microsoft Teams and WhatsApp, on a genuine sign-in page. This hands over valid tokens, granting unauthorised access.

Recent activity shows a shift towards using Microsoft Authentication Broker’s client ID to gain persistent access by registering rogue devices inside compromised networks. Microsoft warns these attacks are especially effective because they mimic legitimate login workflows.

To defend against device code phishing, businesses should block unnecessary device code flows, strengthen Conditional Access policies, educate users about phishing risks, and use phishing-resistant MFA methods such as FIDO tokens.