In recent months, a threat actor identified as Storm-2372 has been actively conducting device code phishing campaigns, targeting Microsoft 365 accounts across various sectors, including government, NGOs, IT services, defence, telecommunications, health, and energy. This sophisticated attack method exploits the OAuth2 device code authentication flow, enabling attackers to hijack authentication tokens and gain unauthorised access to user accounts.

How the Attack Works

Since August 2024, Storm-2372 has employed a deceptive strategy to compromise user accounts:

1. Attackers initiate contact through third-party messaging services such as WhatsApp, Signal, and Microsoft Teams, impersonating prominent individuals relevant to the target.
2. They build rapport with the victim before sending invitations to online events or meetings.
3. These invitations prompt the user to complete a device code authentication request, mimicking legitimate messaging service experiences.
4. Once the user enters the device code on a legitimate sign-in page, the attackers obtain authentication tokens, granting them access to the victim’s Microsoft 365 account without needing the actual password.

This method is particularly insidious because it leverages legitimate authentication processes, making it challenging for users and traditional security measures to detect the intrusion. The stolen tokens can be used to access various services where the user has permissions, such as email and cloud storage, allowing attackers to harvest sensitive data and potentially move laterally within the organisation’s network.

Protecting Against Device Code Phishing with Thea M365 Account Compromise Protection

To combat such advanced phishing techniques, robust security solutions like Thea M365 Account Compromise Protection are essential. Thea provides a multi-layered defence against account takeover threats, including those posed by Storm-2372, through three key mechanisms:

Identification: Risk-Based Login Assessment

Thea continuously monitors login activity, evaluating factors such as:

• Country of login
• IP address
• User agent and operating system

If a login attempt breaches predefined risk tolerances, it triggers automated containment actions. This helps detect unauthorised access attempts facilitated by stolen authentication tokens, a core tactic used by Storm-2372.

Containment: Nullifying Hijacked Tokens

When a suspicious login is detected, Thea enforces one of two containment actions:

• Automated Logout: The affected user is logged out and prompted to log in again. This process issues a new session token, rendering any hijacked tokens useless.
• Account Blocking: If a login attempt appears highly suspicious, the user’s account is blocked until IT teams can investigate further.

Since Storm-2372 relies on stolen tokens for access, Thea’s containment measures effectively disrupt their attack chain, preventing persistence within the compromised account.

Response: User Verification and Investigation

Once a suspicious login is flagged, Thea facilitates a response workflow:

• IT teams liaise with the user to verify their current working arrangements and determine whether the login attempt was legitimate.
• If the login is deemed unauthorised, further security actions can be taken to prevent future compromises, such as strengthening authentication controls.

Why Thea M365 Account Compromise Protection is Essential

Storm-2372’s attacks highlight the growing sophistication of cyber threats targeting Microsoft 365 environments. Traditional defences, such as passwords and multi-factor authentication alone, are not always sufficient to stop token-based compromises. Thea’s proactive risk assessment, automated containment, and real-time response mechanisms provide organisations with:

• Immediate risk-based detection of suspicious logins
• Automated disruption of attacker persistence
• A streamlined incident response process to mitigate damage

By integrating Thea M365 Account Compromise Protection, organisations can strengthen their defences against Storm-2372 and other evolving threats, ensuring the security of their Microsoft 365 environments and protecting sensitive data from unauthorised access.

Secure Your Organisation Today

Don’t wait for an attack to compromise your Microsoft 365 accounts. Learn more about how Thea M365 Account Compromise Protection can safeguard your organisation from advanced phishing techniques. https://theaintelligence.com/microsoft-365-account-compromise-protection

Visit theaintelligence.com today.