Listen to this Post
2025-02-15
Microsoft Threat Intelligence has uncovered an active phishing campaign by Storm-2372. The campaign leverages device code authentication to hijack user tokens and gain persistent access. This isn’t just another phishing attempt—it’s an evolution of attack techniques that exploit legitimate authentication flows.
How the Attack Works:
- Phishing Emails: Fake Microsoft Teams meeting invites lure users.
- Device Code Auth: A user tricked into entering a device code on a legit sign-in page.
- Token Theft & Persistence: Attackers intercept the auth process, obtaining refresh tokens and registering their devices in Entra ID.
Tips for the blue team: (something to start with)
- Disable Device Code Auth if not needed, or restrict it with CAP.
- Enforce MFA with phishing-resistant methods like FIDO2 or passkeys.
- Monitor Device Registrations to detect unauthorized enrollments.
- Revoke Compromised Tokens using revokeSignInSessions.
- Apply Sign-In Risk Policies to challenge risky logins automatically.
This campaign highlights the ongoing battle between adversaries and defenders. If your Entra ID policies aren’t locked down, now is the time to act.
Practice Verified Codes and Commands:
1. Disable Device Code Authentication:
Set-MsolDeviceRegistrationPolicy -AllowedToRegisterDevices $false
2. Enforce MFA with FIDO2:
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{Requirements = @{State = "Enabled"; MethodType = "FIDO2"}}
3. Monitor Device Registrations:
Get-MsolDevice -All | Where-Object { $_.ApproximateLastLogonTimestamp -lt (Get-Date).AddDays(-30) } | Format-Table DisplayName, DeviceId, ApproximateLastLogonTimestamp
4. Revoke Compromised Tokens:
Revoke-MsolUserSignInSession -UserPrincipalName [email protected]
5. Apply Sign-In Risk Policies:
New-AzureADPolicy -Definition @('{"SignInRiskPolicy":{"Enabled":true,"RiskLevel":"High"}}') -DisplayName "SignInRiskPolicy" -Type "SignInRiskPolicy"
What Undercode Say:
In the ever-evolving landscape of cybersecurity, staying ahead of adversaries requires constant vigilance and proactive measures. The Device Code Phishing campaign by Storm-2372 underscores the importance of securing authentication mechanisms and monitoring for unauthorized access. By disabling unnecessary authentication methods like device code auth, enforcing phishing-resistant MFA, and regularly monitoring device registrations, organizations can significantly reduce their attack surface.
Additionally, leveraging PowerShell commands to manage and secure Entra ID environments is crucial. Commands such as Set-MsolDeviceRegistrationPolicy
, Set-MsolUser
, and `Revoke-MsolUserSignInSession` provide administrators with the tools needed to enforce security policies and respond to incidents swiftly. Implementing sign-in risk policies further enhances security by automatically challenging risky logins, adding an extra layer of protection.
For those looking to deepen their understanding of Entra ID and Azure AD security, Microsoft’s official documentation and community forums are invaluable resources. Regularly updating your knowledge and staying informed about the latest threats and mitigation strategies is essential in maintaining a robust security posture.
Remember, cybersecurity is a continuous process. Regularly review and update your security policies, conduct thorough audits, and ensure your team is trained to recognize and respond to potential threats. By taking these steps, you can better protect your organization from sophisticated phishing campaigns and other cyber threats.
Useful URLs:
References:
Hackers Feeds, Undercode AI