{"id":20867,"date":"2025-04-10T14:06:25","date_gmt":"2025-04-10T07:06:25","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=20867"},"modified":"2025-06-02T11:48:29","modified_gmt":"2025-06-02T04:48:29","slug":"microsoft-phishing-attack-on-accounts-using-device-code","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/microsoft-phishing-attack-on-accounts-using-device-code\/","title":{"rendered":"Microsoft: Phishing Attack on Accounts Using Device Code"},"content":{"rendered":"

\"Microsoft<\/a><\/span><\/p>\n

Recently,\u00a0FPT Threat Intelligent<\/strong>\u00a0has detected several sophisticated phishing campaigns targeting Microsoft 365 accounts of individuals in key organizations. These attacks use device code phishing techniques, exploiting a legitimate feature to trick victims into providing device codes, thereby gaining access to emails and important data without needing the password.<\/span><\/p>\n

Details<\/span><\/strong><\/h2>\n

When users want to log into an app on a device and forget their password or fail to log in several times, they are directed to a device code authentication flow. This process requires users to enter a code on another device, like a phone or computer, that can type.<\/span><\/p>\n

Hackers exploit this by contacting victims through messaging apps (such as WhatsApp, Signal, Microsoft Teams), pretending to be a trusted person and inviting them to a meeting or online transaction. In this invitation, the victim is given a device code\u2014but this code is created by the hacker. When the victim enters this code on the legitimate login page (Microsoft 365 login page), the system verifies it and provides the victim with an access token (and refresh token) as if they had successfully logged in.<\/span><\/p>\n

Since this authentication token is considered a “digital certificate” that allows account access, the hacker can then use it to access Microsoft services (like email, cloud storage) without needing a password\u2014as long as the token remains valid.<\/span><\/p>\n

How Device Code Authentication Works<\/strong><\/span><\/h2>\n

Microsoft (and many other services) supports the\u00a0Device Code Flow<\/strong>\u00a0authentication method to help devices without a keyboard or browser log into accounts.<\/span><\/p>\n

Legitimate Process<\/strong>:<\/span><\/h3>\n
    \n
  1. User Initiates Login<\/strong>: When opening an app on a device without a keyboard, the device shows a\u00a0device code<\/strong>\u00a0and asks the user to enter this code on an official Microsoft website (e.g.,\u00a0https:\/\/microsoft.com\/devicelogin<\/code><\/a>).\"Microsoft<\/a><\/span><\/li>\n
  2. User Enters Code on Another Device<\/strong>: The user uses a computer or phone with a browser to enter the code.\"Microsoft<\/a><\/span><\/li>\n
  3. Microsoft verifies identity<\/strong>\u00a0\u2192 If correct, the user’s account is linked to the device, and the device is given an\u00a0access token<\/strong>\u00a0to use Microsoft services like email and OneDrive.<\/span><\/li>\n<\/ol>\n

    According to Microsoft’s intelligence center, there have been many phishing campaigns recently, possibly by a Russian hacker group called ‘Storm-237’, targeting various organizations and businesses worldwide. Based on preferences, targeted victims, and transaction techniques, researchers can confirm that this activity is linked to a state-sponsored campaign aligned with Russian interests.<\/span><\/p>\n

    Devices with limited input\u2014those without a keyboard or browser support, like smart TVs and some IoT devices\u2014rely on the device code flow to let users log into an app by entering an authorization code on another device, such as a smartphone or computer.<\/span><\/p>\n

    Microsoft researchers have discovered that since last August, Storm-237 has exploited this authentication flow by tricking users into entering device codes created by attackers on legitimate login pages. They launch the attack after establishing a connection with the target by “impersonating a prominent person related to the target” through messaging platforms like WhatsApp, Signal, and Microsoft Teams.<\/span><\/p>\n

    The scam method used by Storm-2372 is to\u00a0trick victims into entering device codes<\/strong>\u00a0created by them on Microsoft’s legitimate login page, allowing them to gain account access.<\/span><\/p>\n

    Storm-2372’s attack method<\/strong>:<\/span><\/h3>\n
      \n
    1. Building trust<\/strong>: Hackers impersonate a trusted person and contact victims through platforms like WhatsApp, Signal, and Teams.\"Microsoft<\/a><\/span><\/li>\n
    2. Sending fake meeting invites<\/strong>: They send emails or messages with a Teams meeting invitation, including a\u00a0device code<\/strong>\u00a0they have created.<\/span>\"Microsoft<\/a><\/span><\/li>\n
    3. Victim enters the code on Microsoft’s official page<\/strong>: Since Microsoft supports the Device Code Flow feature, the victim unsuspectingly enters the code at\u00a0https:\/\/microsoft.com\/devicelogin<\/code><\/a>.\"Microsoft<\/a><\/span><\/li>\n
    4. Hackers gain access<\/strong>: Because the hackers created the code beforehand, when the victim enters it, Microsoft grants them account access, allowing full control without further verification.<\/span><\/li>\n<\/ol>\n

      Why this phishing attack is sophisticated and hard to detect:<\/strong><\/span><\/h3>\n