Storm-2372 Cyber Threat: Advanced Phishing Tactics Targeting Multiple Sectors

Article Highlights
Off On

The emergence of a cyber-attack threat cluster known as Storm-2372 has raised significant concerns across various sectors. Identified by Microsoft, this threat has been active since August 2024, targeting organizations in government, NGOs, IT services, technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors. The attacks have spanned Europe, North America, Africa, and the Middle East, showcasing a broad and alarming reach.

The Rise of Storm-2372

Novel Phishing Techniques

Storm-2372 has introduced a novel phishing technique called ‘device code phishing.’ This method involves tricking victims into logging into productivity applications to capture authentication tokens. These tokens allow unauthorized access to compromised accounts, bypassing the need for passwords. The attackers have skillfully leveraged legitimate messaging platforms such as WhatsApp, Signal, and Microsoft Teams to pose as prominent individuals, enhancing their credibility and increasing the likelihood of a successful attack.

Social Engineering Tactics

One of the most insidious aspects of these attacks is the use of social engineering. By sending what appear to be legitimate Microsoft Teams meeting invitations, the threat actors lure victims into entering a device code on a legitimate sign-in page. This tactic capitalizes on the victim’s assumptions of authenticity and trust in commonly used tools. Once an authentication token is captured, the attackers exploit it to gain entry to the victim’s accounts, providing unauthorized access to sensitive data.

Exploiting Authentication Tokens

Persistent Access and Privilege Escalation

Once an account is compromised, the attackers can maintain access as long as the tokens remain valid. This extended access allows them to potentially escalate their privileges within the network, gaining more control over the compromised systems. Microsoft’s observations indicate that the attackers use the Microsoft Graph service to conduct keyword searches through the compromised account’s messages.

Mitigation Strategies

To mitigate this risk, Microsoft suggests several measures: blocking device code flow where feasible, enabling phishing-resistant multi-factor authentication (MFA), and adhering to the principle of least privilege. Blocking device code flow can directly counteract the tactic used by Storm-2372, making it harder for the attackers to obtain valid tokens. Enabling phishing-resistant MFA adds an additional layer of security, requiring multiple forms of verification before granting access and reducing the risk of unauthorized access.

Evolving Tactics of Storm-2372

Shift in Attack Methods

In an update on February 14, 2025, Microsoft highlighted a shift in Storm-2372’s tactics, reflecting the group’s ability and determination to adapt to emerging defenses. The threat actors now employ the specific client ID for the Microsoft Authentication Broker in the device code flow.

Concealing Activities

Additionally, the attackers have been observed to utilize regionally appropriate proxies to better conceal the suspicious nature of their sign-in activities. By mimicking regional sign-in patterns, the attackers can evade detection and appear as legitimate users, making it more challenging for organizations to identify and respond to the threat.

Observations by Volexity

Multiple Russian Threat Actors

Cybersecurity firm Volexity has independently observed at least three distinct Russian threat actors employing the device code phishing method to compromise Microsoft 365 accounts since mid-January 2025. These campaigns have impersonated individuals from established entities, including the United States Department of State, the Ukrainian Ministry of Defence, and the European Union Parliament.

Specific Attack Instances

One particularly active group, UTA0304, initiated contact with a target through the Signal messaging app, posing as an official from the Ukrainian Ministry of Defence. They persuaded the victim to switch to another secure messaging app, Element, then sent a spear-phishing email containing a link to join a chat room.

Strategic Timing and Real-Time Engagement

The strategic timing of the phishing messages is a critical component of the attackers’ methodology. The generated device codes’ short validity window, typically 15 minutes, necessitates swift action from the victim, adding a sense of urgency to the engagement.

Looking Ahead

The rising threat of a cyber-attack cluster known as Storm-2372 has created significant alarm across multiple sectors. This threat, identified by Microsoft, has been active since August 2024 and continues to pose substantial risks. Storm-2372 targets a wide array of organizations, including those in government, non-governmental organizations (NGOs), IT services, technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors. The attacks are not confined to a specific region but have impacted entities across Europe, North America, Africa, and the Middle East, indicating a widespread and concerning reach.

Microsoft’s identification of Storm-2372 underscores the growing sophistication and persistence of cyber threats in today’s digital age. Organizations within the affected sectors must enhance their cybersecurity measures to safeguard against these relentless attacks. This threat cluster’s broad target range and global span highlight the urgent need for heightened vigilance and advanced security protocols to defend critical infrastructures and sensitive information from such pervasive cyber threats.

Explore more

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME

Trend Analysis: Artificial Emotional Intelligence in CX

In the rapidly evolving landscape of customer engagement, one of the most groundbreaking innovations is artificial emotional intelligence (AEI), a subset of artificial intelligence (AI) designed to perceive and engage with human emotions. As businesses strive to deliver highly personalized and emotionally resonant experiences, the adoption of AEI transforms the customer service landscape, offering new opportunities for connection and differentiation.

Will Telemetry Data Boost Windows 11 Performance?

The Telemetry Question: Could It Be the Answer to PC Performance Woes? If your Windows 11 has left you questioning its performance, you’re not alone. Many users are somewhat disappointed by computers not performing as expected, leading to frustrations that linger even after upgrading from Windows 10. One proposed solution is Microsoft’s initiative to leverage telemetry data, an approach that