Russian threat actors have launched another successful hacking campaign. Targeted users receive fake meeting invitations to WhatsApp, Signal, or Teams and allow attackers into their accounts when attempting to log in.
Microsoft Threat Intelligence Center warns that this phishing technique, called “device code phishing,” has been active since August 2024, and Russia-aligned hackers are successfully compromising governments, NGOs, and a wide range of industries in multiple regions.
Users should beware of fraudulent WhatsApp, Signal, or Teams meeting invitations, which may be indistinguishable from legitimate ones.
“Threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to,” Microsoft said.
Hackers are exploiting authentication on input-constrained devices, such as TVs, game consoles, and others. They allow users to complete authentication on a separate device. For example, an app on a TV generates a temporary code and asks users to enter it on a specific website to complete registration.
Here’s how the attack works:
1. Hackers invest a considerable amount of time to build rapport before sending meeting invitations.
2. They generate a valid authentication code on a real service (e.g., Microsoft) login page, which ties the code to the hacker’s device.
3. Hackers then send the obtained code to the victim in a phishing email, which may look like an invitation to join a Microsoft Teams meeting.
4. If the victim opens the link, the login screen will appear. If the user enters the code and completes authentication, the hacker’s device gains access to the account and data (receives the authentication token).
Hackers use these phished authentication tokens to gain access to cloud storage, emails, and other services without needing a password. They can maintain access for a long time.
“The threat actor continues to have access so long as the tokens remain valid. The attacker can then use the valid access token to move laterally within the environment,” Microsoft said.
Additionally, hackers sift through user messages for keywords such as username, password, admin, TeamViewer, any desk, credentials, secret, ministry, or gov to obtain sensitive information.
Microsoft labeled the threat actor Storm-2372 and suspects that it’s a nation-state actor working toward Russian state interests and aligning with tradecraft and victimology.
Microsoft recommends blocking device code authentication wherever possible.
Your email address will not be published. Required fields are markedmarked