Microsoft has warned of a sophisticated phishing scam targeting government and business sectors, using fake Teams meeting invites to trick victims into handing over their authentication tokens. The attack, attributed to a group known as Storm-2372, has been ongoing since August and is believed to be linked to Russian state interests.
The scammers use a technique called “device code phishing,” which attempts to trick marks into providing sensitive information such as usernames, passwords, and device authentication codes. Once the victim clicks on the phishing email, they are taken to a legitimate Microsoft login page and prompted to enter a device verification code.
Once authenticated, the attacker can obtain a valid access token from Microsoft, granting access to the victim’s email or cloud storage accounts without needing a password or two-factor authentication. The attackers then use this access to move laterally within the compromised network by sending additional phishing messages to other users.
Microsoft has warned that this technique does not reflect an attack unique to Microsoft and that there are no vulnerabilities in its code base enabling this activity. However, the company is taking steps to monitor for similar campaigns and directly notifies customers who have been targeted or compromised.
To protect yourself against this threat, it’s essential to only allow device code flow where necessary, revoke user refresh tokens if you suspect device code phishing, and consider setting a conditional access policy to force re-authentication for users.
Source: https://www.theregister.com/2025/02/15/russia_spies_spoofing_teams