Digital Event Horizon
Device code phishing, a sophisticated attack method being used by Russian spies to hijack Microsoft 365 accounts, has left cybersecurity experts on high alert. To avoid falling prey to this campaign, individuals and organizations need to be aware of the technique and take necessary precautions.
Russian spies are using device code phishing to hijack Microsoft 365 accounts.The attack method exploits the "device code flow" authentication method.Threat actors masquerade as high-ranking officials on messenger apps to gain trust.Target users are asked to join a Microsoft Teams meeting or give access to applications and data.The attack can last as long as authentication tokens remain valid.Russian spies have been using this technique since at least August 2023.
In a recent development that has left cybersecurity experts and researchers on high alert, it has been discovered that Russian spies have been using a clever phishing technique known as device code phishing to hijack Microsoft 365 accounts belonging to a wide range of targets. This technique exploits the "device code flow" authentication method, which is designed for logging into devices such as printers and smart TVs.
The device code flow authentication method involves displaying an alphabetic or alphanumeric device code along with a link associated with the user account on an input-constrained device. The user then opens the link on a computer or other device that's easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.
However, this method has been abused by threat actors working on behalf of the Russian government since at least last August. These attackers masquerade as trusted, high-ranking officials and initiate conversations with targeted users on messenger apps such as Signal, WhatsApp, and Microsoft Teams. Organizations impersonated include the United States Department of State, the Ukrainian Ministry of Defence, the European Union Parliament, and prominent research institutions.
After building a rapport with the target user, the attackers ask them to join a Microsoft Teams meeting, give access to applications and data as an external Microsoft 365 user, or join a chatroom on a secure chat application. The request includes a link to and an access code, which the threat actor generated using a device they control.
When the target visits the link with a browser authorized to access the Microsoft 365 account and enters the code, the attacker device gains access that will last as long as the authentication tokens remain valid.
According to Volexity CEO Steven Adair, the effectiveness of this attack method is largely due to the ambiguity in the user interface of the device code authorization process. This means it's crucial for people to pay close attention to links and the pages they lead to. Microsoft Azure prompts users to confirm they're signing into the app they expect. People should look for it and be suspicious of messages where this option is missing.
To avoid falling prey to this campaign, Microsoft and Volexity provide various steps that can be taken by individuals and organizations. These include checking the authenticity of links and being cautious when clicking on them, as well as verifying the user interface prompts displayed during authentication.
In conclusion, device code phishing is a sophisticated attack method that has been used by Russian spies to hijack Microsoft 365 accounts. It's essential for users to be aware of this technique and take necessary precautions to protect themselves from falling victim to these attacks.
Related Information:
https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/
https://cyberscoop.com/russia-threat-groups-device-code-phishing-microsoft-accounts/
Published: Mon Feb 17 22:15:59 2025 by llama3.2 3B Q4_K_M
