Storm-2372 Conducts Device Code Phishing Campaign | Microsoft Security Blog

2025-02-16

Microsoft has uncovered a sophisticated cyberattack campaign orchestrated by a group identified as Storm-2372, which aligns with Russia’s interests and tradecraft. These attacks, ongoing since August 2024, have targeted governments, NGOs, and various industries across multiple regions. The attackers employ a phishing technique known as “device code phishing,” which deceives users into logging into productivity apps, allowing Storm-2372 to capture login tokens and gain unauthorized access to compromised accounts.

To protect against such attacks, Microsoft recommends the following measures:

Enable Multi-Factor Authentication (MFA): Ensure MFA is enabled for all accounts to add an extra layer of security.
Monitor Token Usage: Regularly review and monitor token usage to detect any unauthorized access.
Educate Employees: Conduct regular training sessions to educate employees about phishing techniques and how to recognize them.
Implement Conditional Access Policies: Use conditional access policies to restrict access based on user location, device compliance, and other factors.
Regularly Update Security Protocols: Keep all security protocols and software up to date to protect against the latest threats.

Practice Verified Codes and Commands:


<h1>Enable MFA for a user in Azure AD</h1>

az ad user update --id [email protected] --force-change-password-next-login true


<h1>Monitor sign-in logs for suspicious activity</h1>

az monitor activity-log list --resource-group MyResourceGroup --status Failed


<h1>Implement Conditional Access Policy</h1>

az ad sp create-for-rbac --name "ConditionalAccessPolicy" --role "Security Reader"


<h1>Update all system packages on a Linux server</h1>

sudo apt-get update && sudo apt-get upgrade -y


<h1>Check for open ports and suspicious connections</h1>

sudo netstat -tuln | grep LISTEN


<h1>Scan for malware using ClamAV</h1>

sudo clamscan -r /home

What Undercode Say:

The Storm-2372 device code phishing campaign highlights the evolving nature of cyber threats and the importance of robust security measures. Organizations must remain vigilant and proactive in their defense strategies. Implementing multi-factor authentication, monitoring token usage, and educating employees are critical steps in mitigating the risk of such attacks. Regularly updating security protocols and employing conditional access policies can further enhance an organization’s security posture.

In addition to the measures recommended by Microsoft, it is essential to conduct regular security audits and penetration testing to identify and address vulnerabilities. Utilizing intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help detect and block malicious activities in real-time. Furthermore, organizations should consider deploying endpoint detection and response (EDR) solutions to monitor and respond to threats on individual devices.

For Linux users, commands such as netstat, clamscan, and `apt-get` are invaluable tools for maintaining system security. Regularly updating system packages and scanning for malware can prevent attackers from exploiting known vulnerabilities. Windows users should leverage PowerShell scripts to automate security tasks and monitor system activities.

In conclusion, the Storm-2372 campaign serves as a stark reminder of the persistent and sophisticated nature of cyber threats. By adopting a comprehensive security strategy that includes technical measures, employee education, and regular audits, organizations can significantly reduce their risk of falling victim to such attacks. Stay informed, stay vigilant, and always prioritize cybersecurity.