Since August 2024, a new group of cyberattacks aimed at a variety of industries has been the subject of a new danger grouping that Microsoft is bringing to mind.
The attacks have targeted government, non-governmental organizations ( NGOs ), information technology ( IT ) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
The risk professional, assessed with moderate confidence to be aligned with Russian interests, victimology, and tradecraft, has been observed targeting users via messaging apps like WhatsApp, Signal, and Microsoft Teams by falsely claiming to be a notable person related to the target in an attempt to build trust.
According to a new report from Microsoft Threat Intelligence,” The attacks use a specific phishing technique called “device phishing” that teaches users to use productivity apps while Storm-2372 actors extract data from the log-in ( tokens ) to gain access to compromised accounts,” the attack uses.
The technique’s use of authentication codes to gain access to target accounts allows for frequent entry to the victim environment as long as the tokens are legitimate, and it intends to abuse that access to obtain sensitive data.
The tech giant claimed the attack involved sending phishing emails that appear to be Microsoft Teams meeting invitations that, when clicked, prompt message recipients to authenticate using a threat actor-generated device code, allowing the adversary to use the appropriate access sign to sabotage the authenticated session.
The risk actor” tricks the goal into entering it into a genuine sign-in page” during the attack, according to Microsoft. ” This grants the actor access and enables them to get the authentication—access and refresh—tokens that are generated, then use those tokens to get the enemy’s accounts and data”.
Without the need for a login, the phished verification tokens can then be used to access different services where the user now has permissions, such as email or cloud storage.
By sending similar phishing intra-organizational messages to other users from the damaged account, Microsoft claimed that the true session is used to move horizontally within the network. Furthermore, the Microsoft Graph service is used to search through messages of the breached account.
” The threat actor was using keyword searching to view messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov”, Redmond said, adding the emails matching these filter criteria were then exfiltrated to the threat actor.
To mitigate the risk posed by such attacks, organizations are recommended to wherever possible, enable phishing-resistant multi-factor authentication ( MFA ), and follow the principle of least privilege.