If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish

Digital thieves – quite possibly Kremlin-linked baddies – have been emailing out bogus Microsoft Teams meeting invites to trick victims in key government and business sectors into handing over their authentication tokens, granting access to emails, cloud data, and other sensitive information.

According to Microsoft this week, this con job has been ongoing since August, and is attributed to a group it tracks as Storm-2372, a bunch of miscreants “working toward Russian state interests.”

Other such Kremlin-orchestrated crews, including Cozy Bear aka Midnight Blizzard, have also used Teams chats to phish marks in similarly high-value sectors, the Windows giant has warned in the past.

In this most recent phishing blitz, Storm-2372 targeted government, non-governmental organizations, IT services and technology, telecommunications, health, higher education, and energy/oil and gas across Europe, North America, Africa, and the Middle East, Redmond said.

The campaign uses a technique called “device code phishing” that attempts to trick marks into providing all the details needed to give crooks access to the victim’s accounts – usernames, passwords, device authentication codes requested from Microsoft by the attacker, and the users’ MFA responses. Below is Redmond’s diagram illustrating the flow of this attack.

We’re told that Storm-2372 first builds rapport on messaging apps like WhatsApp, Signal, and Microsoft Teams by “falsely posing as a prominent person relevant to the target.” After gaining the victim’s trust, the attackers send phishing emails with spoofed Microsoft Teams meeting invites, according to the researchers.

When the recipient clicks on the meeting invitation, they are taken to a legitimate Microsoft login page and prompted to enter a device verification code that Storm-2372 earlier requested from the Windows giant. Once the victim enters the device code, and authenticates themselves with Microsoft, the attacker can obtain a valid access token from the IT giant, which can be used to get into the victim’s email or cloud storage accounts without needing a password or MFA — as long as the tokens remain active.

The main thing here is that the gang asks for a device code from Microsoft, then tricks the victim into authenticating with that code to produce an access token for the attacker, giving them passage to the victim’s account.

“The threat actor uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account,” Redmond’s threat intel team said.

The tech giant also argued the above technique does “not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity.”

We’re told also Microsoft caught the suspected Russian spies using Microsoft Graph to search users’ emails for messages containing words such as username, password, admin, teamviewer, anydesk, credentials, secret, ministry, and gov. 

Microsoft Graph is an API that provides access to data stored across Microsoft 365 services, and the snoops used this tool to exfiltrate email content matching these search terms to gather credentials and other sensitive data.

While the tech giant says it continues to monitor for this and other campaigns attributed to Storm-2372, and directly notifies customers who have been targeted or compromised, there are steps folks can take to protect themselves preemptively against this and similar threats.

First, only allow the device code flow where absolutely necessary. Additionally, if you suspect device code phishing, revoke the user’s refresh tokens and also consider setting a conditional access policy to force re-authentication for users.

Finally, in an update on Friday, Microsoft said it had just “observed Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow,” and included in the above-linked write-up details on that. ®

READ MORE HERE