Spear-Phishing (“Business Email Compromise” or “BEC”) targeted at Microsoft 365 accounts!

SCWorld.com reported that “Microsoft revealed an ongoing spear-phishing campaign that abuses the legitimate device code authentication flow to gain access to Microsoft 365 accounts. Device code authentication is used to access Microsoft 365 services from “input-constrained devices” such as printers, smart TVs, game consoles and other internet-of-things (IoT) devices that do not have a web browser.”  The February 14, 2025 article entitled “Microsoft 365 accounts targeted in device code spear-phishing scheme”  (https://tinyurl.com/yt7k6zvt) included these comments:

Microsoft said in a blog post Thursday that a suspected Russia-linked threat actor tracked as Storm-2372 has been conducting a campaign since August 2024 that tricks users into completing a device code authentication flow for an attacker-controlled device under the guise of an invite to an online event, virtual meeting or secure chat.

The attacker generates a legitimate device code from their device and sends it to the victim, who enters it into a legitimate authentication page, believing they are entering an ID to access the supposed meeting or chatroom. The attacker directs the victim to this page by creating emails or web pages designed to mimic invites from legitimate services like Microsoft Teams.

Once the device authentication flow is completed, the attacker can leverage the access token granted to their device to exfiltrate sensitive information from the victim’s Microsoft 365 services, as well as spread additional phishing messages through the victim’s organization from their compromised account.

Microsoft reported that Storm-2372 has used Microsoft Graph to search compromised accounts for messages including keywords such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry and gov. These messages were then exfiltrated over email via Microsoft Graph, according to Microsoft.

VERY BAD NEWS!