Researchers Uncover Ongoing Russian Phishing Campaign Targeting Microsoft 365 Accounts
A Sustained and Ongoing Campaign
Researchers have uncovered a sustained and ongoing campaign by Russian spies that uses a clever phishing technique to hijack Microsoft 365 accounts belonging to a wide range of targets, researchers warned.
Device Code Phishing: A New Form of Authentication
The technique is known as device code phishing. It exploits "device code flow," a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.
How the Attack Works
Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.
A Concerted Effort
Advisories from both security firm Volexity and Microsoft are warning that threat actors working on behalf of the Russian government have been abusing this flow since at least last August to take over Microsoft 365 accounts. The threat actors masquerade as trusted, high-ranking officials and initiate conversations with a targeted user on a messenger app such as Signal, WhatsApp, and Microsoft Teams. Organizations impersonated include:
- Law enforcement agencies
- Financial institutions
- Government agencies
Conclusion
The device code phishing technique is a sophisticated and cunning tactic used by Russian spies to infiltrate Microsoft 365 accounts. Organizations must be vigilant and take immediate action to protect themselves against this type of attack.
FAQs
Q: What is device code phishing?
A: Device code phishing is a type of phishing technique that exploits "device code flow" authentication to hijack Microsoft 365 accounts.
Q: How does the attack work?
A: The attack works by displaying an alphabetic or alphanumeric device code along with a link associated with the user account. The user enters the code on a computer or other device, allowing the remote server to log the input-constrained device into the account.
Q: Who is behind the attack?
A: The attack is believed to be carried out by threat actors working on behalf of the Russian government.
Q: What organizations are being targeted?
A: Law enforcement agencies, financial institutions, and government agencies are among the targets of the attack.
