The emergence of a cyber-attack threat cluster known as Storm-2372 has raised significant concerns across various sectors. Identified by Microsoft, this threat has been active since August 2024, targeting organizations in government, NGOs, IT services, technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors. The attacks have spanned Europe, North America, Africa, and the Middle East, showcasing a broad and alarming reach.
The Rise of Storm-2372
Novel Phishing Techniques
Storm-2372 has introduced a novel phishing technique called ‘device code phishing.’ This method involves tricking victims into logging into productivity applications to capture authentication tokens. These tokens allow unauthorized access to compromised accounts, bypassing the need for passwords. The attackers have skillfully leveraged legitimate messaging platforms such as WhatsApp, Signal, and Microsoft Teams to pose as prominent individuals, enhancing their credibility and increasing the likelihood of a successful attack.
Social Engineering Tactics
One of the most insidious aspects of these attacks is the use of social engineering. By sending what appear to be legitimate Microsoft Teams meeting invitations, the threat actors lure victims into entering a device code on a legitimate sign-in page. This tactic capitalizes on the victim’s assumptions of authenticity and trust in commonly used tools. Once an authentication token is captured, the attackers exploit it to gain entry to the victim’s accounts, providing unauthorized access to sensitive data.
Exploiting Authentication Tokens
Persistent Access and Privilege Escalation
Once an account is compromised, the attackers can maintain access as long as the tokens remain valid. This extended access allows them to potentially escalate their privileges within the network, gaining more control over the compromised systems. Microsoft’s observations indicate that the attackers use the Microsoft Graph service to conduct keyword searches through the compromised account’s messages.
Mitigation Strategies
To mitigate this risk, Microsoft suggests several measures: blocking device code flow where feasible, enabling phishing-resistant multi-factor authentication (MFA), and adhering to the principle of least privilege. Blocking device code flow can directly counteract the tactic used by Storm-2372, making it harder for the attackers to obtain valid tokens. Enabling phishing-resistant MFA adds an additional layer of security, requiring multiple forms of verification before granting access and reducing the risk of unauthorized access.
Evolving Tactics of Storm-2372
Shift in Attack Methods
In an update on February 14, 2025, Microsoft highlighted a shift in Storm-2372’s tactics, reflecting the group’s ability and determination to adapt to emerging defenses. The threat actors now employ the specific client ID for the Microsoft Authentication Broker in the device code flow.
Concealing Activities
Additionally, the attackers have been observed to utilize regionally appropriate proxies to better conceal the suspicious nature of their sign-in activities. By mimicking regional sign-in patterns, the attackers can evade detection and appear as legitimate users, making it more challenging for organizations to identify and respond to the threat.
Observations by Volexity
Multiple Russian Threat Actors
Cybersecurity firm Volexity has independently observed at least three distinct Russian threat actors employing the device code phishing method to compromise Microsoft 365 accounts since mid-January 2025. These campaigns have impersonated individuals from established entities, including the United States Department of State, the Ukrainian Ministry of Defence, and the European Union Parliament.
Specific Attack Instances
One particularly active group, UTA0304, initiated contact with a target through the Signal messaging app, posing as an official from the Ukrainian Ministry of Defence. They persuaded the victim to switch to another secure messaging app, Element, then sent a spear-phishing email containing a link to join a chat room.
Strategic Timing and Real-Time Engagement
The strategic timing of the phishing messages is a critical component of the attackers’ methodology. The generated device codes’ short validity window, typically 15 minutes, necessitates swift action from the victim, adding a sense of urgency to the engagement.
Looking Ahead
The rising threat of a cyber-attack cluster known as Storm-2372 has created significant alarm across multiple sectors. This threat, identified by Microsoft, has been active since August 2024 and continues to pose substantial risks. Storm-2372 targets a wide array of organizations, including those in government, non-governmental organizations (NGOs), IT services, technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors. The attacks are not confined to a specific region but have impacted entities across Europe, North America, Africa, and the Middle East, indicating a widespread and concerning reach.
Microsoft’s identification of Storm-2372 underscores the growing sophistication and persistence of cyber threats in today’s digital age. Organizations within the affected sectors must enhance their cybersecurity measures to safeguard against these relentless attacks. This threat cluster’s broad target range and global span highlight the urgent need for heightened vigilance and advanced security protocols to defend critical infrastructures and sensitive information from such pervasive cyber threats.