On February the 14th, Microsoft identified a cyber threat group, known as Strom-2372, conducting a sophisticated phishing attack targeting corporate users. While there are many kinds of phishing attacks, this group is using device code authentication flows to trick users into giving up their authentication tokens. They do this via fake Microsoft Teams invites sent through platforms like WhatsApp, Signal or Teams itself.
Why does this matter to you and your organisation?
Well once attackers get access to a user’s token, they can then freely move laterally across systems and consequently access sensitive corporate data, even without credentials.
In this blog post, we will explain everything you need to know and how to continuously detect and prevent potential attacks.
This type of phishing technique is particularly serious because if an authentication token is compromised, the attacker can then bypass multi-factor authentication (MFA) and gain persistent access to sensitive resources such as email, Microsoft Teams, SharePoint, OneDrive, and other corporate systems.
To make matters worse, the attackers are using real Microsoft login pages, which look completely normal to the user. Because these pages are familiar and appear trustworthy, most people don’t suspect anything is wrong. This means users often have no idea that their login details and access have been stolen.
You are at risk if your organisation supports device code flow, especially those using it for mobile or headless devices, or for applications not restricted to managed and compliant devices.
Users with access to Teams, Office 365 or Microsoft 365 applications, and third-party services integrated via Azure or Entra ID are at particular risk, making this a broad and impactful threat vector for many organisations.
First, you should strongly consider using tools that can automatically spot suspicious activity. With Microsoft Defender XDR, your system can detect unusual login attempts in real time, without needing someone to constantly watch for them. This is especially helpful for larger organisations that deal with lots of alerts every day. Defender XDR can also investigate and respond to threats on its own, which Microsoft describes as ‘self-healing capabilities’, even fixing some issues automatically, which consequently takes pressure off your security team and helps keep your organisation safe.
You can also leverage Microsoft Sentinel to assist with digging into your incidents and alerts. Sentinel provides you with KQL (Kusto Query Language) hunting queries, allowing your security teams to dig deeper into any potential threats. These queries let you search through large amounts of security data to spot any signs of suspicious activity, such as unusual logins or unexpected device code use. They’re especially useful for investigating advanced attacks that might not trigger standard alerts. Microsoft often shares ready-to-use KQL queries in their threat intelligence articles, so teams can quickly start hunting for signs of specific campaigns like the one by Storm-2372.
You can find the queries for this specific attack in their article here: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/#:~:text=Storm%2D2372%20phishing%20lure%20and%20access&text=On%20the%20device%20code%20authentication,the%20fake%20Teams%20meeting%20invitation.
Microsoft Learn Article on XDR respond and detect: https://learn.microsoft.com/en-us/defender-xdr/m365d-autoir
Microsoft Learn Article on Threat Hunting: https://learn.microsoft.com/en-us/azure/sentinel/hunting?tabs=defender-portal
In addition to automated tools, it’s important to also carry out some manual reviews to catch anything that might slip through. Simply start by checking for login activity from unusual device IDs or unexpected locations, which could suggest unauthorised access. You can do this in the Microsoft Defender Portal, this shows you all your incidents and alerts in your organisation.
It’s also a good idea for your team to review any Microsoft Teams meeting links being shared, especially if they weren’t created or approved through official channels as attackers often use fake meeting invites to trick users into giving up their login details.
Device Code Flow is an OAuth 2.0 authentication flow designed for devices with limited input capability. So for example, command-line tools, smart TV’s or IoT devices (physical objects, like sensors, gadgets, or appliances, that connect to the internet and can collect, transmit, and share data).
Device code flow works like this:
Sound familiar? You might have done this on streaming services like Netflix. So although this process is convenient, it is less secure than other methods of authentication making it easier for attackers to exploit.
By using conditional access policies in the Microsoft Entra admin center, you can block device code flow. By taking this step, you reduce your attack surface and help ensure that users only authenticate through more secure, controlled methods.
Follow this Microsoft Learn Article to do this: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows#device-code-flow-policies
Authentication transfer allows you to transfer an authentication from one device to another, such as desktop to mobile. For example, users can use a QR code in an authenticated app on their PC to sign-in to a mobile app.
Although this simplifies authentication for the user by allowing them to connect across platforms without having to re-enter credentials, it does expose you to security risks.
For instance, if a cybercriminal gains access to a user’s desktop session, they could use the authentication transfer feature to compromise the user’s mobile device as well.
Worse yet, this process can bypass third-party Mobile Device Management (MDM) tools that are designed to enforce security policies on mobile devices. Without MDM in the loop, organisations lose visibility and control, weakening their overall security posture.
Don’t put your security at risk simply for convenience, use conditional access policies to block authentication transfer. This closes a significant hole.
Use this Microsoft Learn article to guide you: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
We get it, authentication transfer can offer a smoother, more convenient experience for users. While blocking it entirely is the most secure option, we understand that in some cases, convenience wins out.
If you choose to allow it, you can reduce the risk by restricting authentication transfers to managed and compliant devices only. This ensures that any device receiving authentication is already under your organisation’s security policies, giving you better visibility, control, and overall protection.
Microsoft’s Entra ID is a wide-versed tool. Beyond just user authentication, Entra ID allows you to centralise control over access to both your corporate resources and third-party cloud services.
By consolidating authentication through Entra ID, you create a single point of control where you can consistently enforce security policies. This not only simplifies management but also strengthens your security posture by reducing gaps and inconsistencies across platforms.
As phishing techniques become more sophisticated, threats like the Storm-2372 device code campaign show how easily attackers can exploit familiar tools, like Microsoft Teams invites and login pages, to trick users and steal access. The good news is that with the right mix of proactive and reactive security measures, your organisation can stay ahead.
Tools like Microsoft Defender XDR and Sentinel can detect and respond to threats quickly, while Conditional Access policies help prevent them in the first place.
Using the information in this blog post will help you defend against device code phishing attacks and overall strengthen your security posture.
Important Links:
Go to our Buy page for more information: https://a4scloud.solutions/hardware-software-cloudassets/
You can find more information about Microsoft Defender XDR here:https://www.microsoft.com/en-gb/security/business/siem-and-xdr/microsoft-defender-xdr
Read our blog post about CoPilot here: https://a4scloud.solutions/microsoftcopilotaibusinessbenefits/
Read our latest LinkedIn post here: https://www.linkedin.com/feed/update/urn:li:activity:7330902690350133248
