Suspected Russian threat actors have been exploiting Microsoft Device Code Authentication to deceive targets into granting access to their Microsoft 365 (M365) accounts, a tactic that has proven more successful than traditional social engineering and spear-phishing attacks, according to Volexity threat analysts.
The attacks, which have been ongoing since August 2024 and targeted government organizations, non-governmental organizations, and various industries globally, involve impersonating US, Ukrainian, and EU government officials or researchers. The attackers initiate contact through social media or messaging apps like Signal, inviting the target to participate in a Microsoft Teams Meeting, access applications as an external M365 user, or join a chatroom.
Once the target accepts a fake invitation that directs them to the Microsoft Device Code Authentication page, they are prompted to enter an alphanumeric code, username, password, and second authentication factor. This information allows the threat actor to capture access and refresh tokens, enabling unauthorized access to the target’s M365 account.
The attackers have utilized this access to search through emails for specific keywords and extract sensitive documents. Additionally, compromised accounts have been used to send phishing messages containing malicious links for Device Code Authentication to other users within the organization.
The success of these attacks can be attributed to the lack of malicious links or attachments in phishing emails, users’ unfamiliarity with attacks leveraging legitimate services, and the difficulty in detecting account compromises as authentication logs appear legitimate.
To mitigate these threats, organizations can implement conditional access policies to block device code authentication. Monitoring Microsoft Entra ID sign-in logs for specific values associated with Device Code Authentication can also aid in detecting suspicious activity. Revoking refresh tokens and monitoring URLs accessed by users for known phishing URLs are recommended preventive measures.
Volexity has provided indicators of compromise associated with the campaigns they have identified, assisting organizations in enhancing their detection capabilities and safeguarding against future attacks. By remaining vigilant and proactive in implementing security measures, organizations can mitigate the risk posed by these sophisticated threat actors exploiting Microsoft Device Code Authentication for malicious purposes.