Just as we think we’re getting one step ahead of cybercriminals, they find a new way to evade our defenses.
The latest method causing trouble for security teams is that of device code phishing, a technique that tricks users into granting access to sensitive accounts without attackers needing to steal a password.
Microsoft recently issued a warning about a particular device code phishing campaign being conducted by Storm-2372, where a supposed Russian-backed threat actor was wreaking havoc by hijacking user sessions through legitimate authentication flows. These attacks are trickier to detect than usual given that they exploit real login pages (rather than the spoofed versions that traditional phishing techniques relied on) and are capable of bypassing multi-factor authentication (MFA).
The recent warning from Microsoft will most likely be the first of many. Various other platforms follow the same style of authentication flows and attackers will most likely replicate the technique elsewhere. It is down to security teams once again to identify the warning signs of this new breed of phishing, and implement the best cybersecurity practices to get ahead of the curve.
CIO of Abnormal Security.
Understanding device code phishing
Unlike traditional credential phishing attacks, device code phishing is unique in that there is no need to directly steal a password. Instead, attackers manipulate victims into handing over access to their accounts by exploiting authentication methods designed to make logging in easier.
They start the same way as most email attacks do: through social engineering. By impersonating a trusted colleague or IT administrator, the attackers send an email invitation to an online meeting (often a Microsoft Teams meeting) that looks legitimate. The email is designed to appear normal – for instance, it might look like a genuine Teams meeting invite.
When the victim clicks the link in the fake invite, they are prompted to log in using a special code (the “device code”), which is provided by the attacker. And because the website they land on is a real Microsoft login page, the user doesn’t suspect anything phishy.
What makes this technique especially dangerous is that it exploits legitimate authentication systems without creating counterfeit ones. This removes the need for attackers to steal passwords. Instead, they can gain access by capturing session tokens which allow them to operate without triggering additional authentication prompts. And because the tokens are already verified, attackers can often bypass MFA.
At first glance, nothing seems unusual. Suspicion is reduced due to the official Microsoft website, and therefore, victims won’t hesitate to enter a device code to authenticate the session. However, instead of linking their own device, they are unknowingly authorizing the attacker's session. Once access is granted, the attacker has the keys to the kingdom and is free to operate within the victim’s account, access sensitive information, and launch lateral attacks.
How users can recognize and avoid these attacks
Device code phishing has created a minefield where legitimate tools are utilized for malicious purposes. Organizations must be proactive in recognizing these attacks and be sure to have effective authentication security measures in place.
Users should always treat unexpected meeting invites with suspicion, especially if they contain login prompts that require immediate action. Before entering any device code, users should verify the legitimacy of the request through a separate communication channel, such as a direct phone call or an internal messaging platform. If a login request appears out of the blue, it’s always best to avoid proceeding until its authenticity is confirmed.
Device codes are particularly impactful as they are designed to be entered on trusted devices. As a result, users should never share a login code with another person or enter a code they receive via email or chat unless they personally initiated the request. Legitimate services will never email a device code and then ask a user to input it on a separate website. If workforces can get to grips with this fundamental security principle, it can prevent many device code phishing attempts from succeeding.
Organizational steps to mitigate risk
Protecting against these attacks can’t rely solely on the user and organizations must take steps to reduce the risk of device code phishing.
One of the most effective measures is to disable any unnecessary device code authentication flows. If it isn’t essential for business operations, then it should be removed to eliminate a significant attack vector. Security teams should regularly review authentication policies and restrict device code logins to only trusted devices.
Conditional access policies go one step further, as they can restrict authentication attempts based on user behavior, device type, geographic location, and risk level. If a login attempt occurs from an unfamiliar location or outside of approved business hours, access can be blocked or require additional verification.
This is why it’s key to embrace behavioral AI measures which can establish baseline “normal” behaviors within an organization's IT environment, and in turn question anything that seems out of the ordinary. Behavioral AI systems analyze characteristics like login patterns to detect anomalies, such as multiple authentication attempts from different locations or unusual device code submissions. By comparing these activities to known-good user behaviors, deviations from the norm can be flagged as suspicious.
And since device code phishing hinges on meeting invites to spread the attack, these should also be monitored. Security teams should regularly audit and flag unusual meeting request patterns, particularly those originating from compromised accounts.
Lastly, security awareness programs should be an ongoing feature of any cybersecurity strategy. Cyber threats evolve constantly, so training should also be continuous. Employees must be trained to recognize the warning signs of device code phishing and understand the risks of entering authentication codes without verification. Creating a culture where security is front of mind when handling unexpected requests is vital.
The time to act is now
As this latest technique continues to prove effective, cybercriminals will no doubt expand their use of device code phishing. Organizations must act now to defend against this emerging threat. A combination of user awareness and strong security policies which are strengthened by advanced threat detection can help organizations to stay ahead.
The sooner organizations implement these measures, the sooner they can reduce their exposure to device code phishing and protect their employees, data, and systems from this growing cyber threat.
We've listed the best identity management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
