Russian state-sponsored hackers have developed a sophisticated new phishing technique that bypasses traditional security measures by exploiting Microsoft 365's device code authentication flow. Known as 'device code phishing,' this method allows attackers to compromise accounts without stealing passwords directly, marking a significant evolution in cyber espionage tactics.

Understanding Device Code Phishing

Device code phishing (also called OAuth device code phishing) exploits the OAuth 2.0 device authorization grant flow - a legitimate authentication method designed for devices with limited input capabilities (like smart TVs). Here's how it works:

  1. Victim Interaction: Targets receive an email prompting them to visit a phishing site
  2. Fake Authentication: Site displays a legitimate Microsoft device code and login URL
  3. Token Capture: When victim enters the code at login.microsoftonline.com, attackers intercept the OAuth tokens
  4. Session Hijacking: Hackers use these tokens to gain persistent access to Microsoft 365 accounts

Why This Attack is Particularly Dangerous

  • No Password Needed: Bypasses password-based authentication entirely
  • MFA Bypass: Works even against accounts with multi-factor authentication enabled
  • Stealthy: Doesn't trigger typical phishing alerts since it uses Microsoft's legitimate domains
  • Persistence: Compromised tokens can provide access for extended periods (typically 90 days)

The Russian Connection: Storm-2372

Microsoft attributes these attacks to a group they track as Storm-2372 (also known as SEABORGIUM), which:

  • Primarily targets government, NGOs, and think tanks
  • Has been active since at least 2017
  • Shows strong connections to Russian intelligence services
  • Specializes in credential harvesting and intelligence collection

Technical Breakdown of the Attack Chain

Phase 1: Initial Compromise

  • Spear phishing emails with malicious links
  • Fake SharePoint/OneDrive document sharing notifications
  • Compromised legitimate websites serving as redirectors

Phase 2: Device Code Generation 

POST /common/oauth2/devicecode HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=[legitimate_app_id]&scope=openid%20profile%20offline_access%20...

Phase 3: Token Acquisition

  • User enters device code at legitimate Microsoft login page
  • Attacker polls Microsoft's token endpoint:
POST /common/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=[same_app_id]&device_code=[stolen_code]&grant_type=urn:ietf:params:oauth:grant-type:device_code

Defending Against Device Code Phishing

For Organizations:

  1. Conditional Access Policies: Implement device compliance requirements
  2. Token Lifetime Management: Reduce default token validity periods
  3. Application Consent Policies: Restrict which apps can request OAuth permissions
  4. User Training: Educate staff about this specific threat vector

For Microsoft 365 Admins:

  • Review and revoke unnecessary OAuth applications
  • Enable risky sign-in detection in Azure AD
  • Implement continuous access evaluation
  • Monitor for suspicious token issuance patterns

Microsoft's Response

Microsoft has acknowledged the threat and recommends:

  • Using their new 'Token Protection' feature
  • Implementing Conditional Access App Control
  • Enabling security defaults for all tenants
  • Regular review of sign-in logs and audit logs

The Bigger Picture: OAuth as an Attack Vector

This attack highlights broader security challenges with OAuth and modern authentication:

  • Permission Overload: Users often grant excessive permissions
  • Token Proliferation: Difficult to track all active sessions
  • Trust Assumptions: Users implicitly trust Microsoft-branded pages
  • Detection Gaps: Traditional security tools miss token-based attacks

Future Outlook

Security experts predict:

  • More state-sponsored groups will adopt this technique
  • Possible expansion to other OAuth implementations (Google, Facebook, etc.)
  • Increased focus on API security and token management
  • Potential for automated device code phishing at scale

As authentication evolves beyond passwords, both attackers and defenders are shifting their focus to token-based attacks. Device code phishing represents just the beginning of this new frontier in cybersecurity warfare.