Russian nation-state actors have been targeting sensitive Microsoft 365 accounts using a new phishing technique called device code authentication phishing, according to a recent analysis by Volexity.
The attackers impersonate government officials and researchers to trick victims into providing their Microsoft device authentication codes, allowing the attackers long-term access to the user’s account.
Device code authentication is a method that allows users to sign into M365 services on devices without a full browser interface, such as IoT devices, using a code displayed on that device and then authenticating on another device.
Volexity assesses with medium confidence that at least one of the threat actors is CozyLarch, which overlaps with the notorious Midnight Blizzard gang. The attacks originated via spear-phishing emails or messaging service Signal, inviting users to virtual meetings, chat rooms, or apps.
The attackers then request users to click on a link from an email or a message to join a secure chat room or app. Instead, the link leads to the Microsoft Device Code authentication workflow, where users enter their specific code, allowing the attackers to capture it and gain access to the user’s account.
Device codes are only valid for 15 minutes once they are created, making it crucial for victims to act quickly after receiving an email. The attackers used timely coordination to ensure the phishing attempt was successful.
Volexity notes that device code authentication attacks have been highly effective due to the phishing URLs being on legitimate Microsoft domains, making them recognizable to users. To mitigate this attack vector, organizations can set up conditional access policies on their M365 tenant, which is relatively simple to implement but often not done due to a lack of awareness.
This new technique highlights the need for increased vigilance and security measures against phishing attacks targeting Microsoft 365 accounts.
Source: https://www.infosecurity-magazine.com/news/russian-microsoft-device-code