016

Microsoft and security researchers describe "Storm-2372", an active device-code phishing campaign since August 2024 targeting government, NGOs, IT, defense, telecoms, health, higher education, and energy organizations across Europe, North America, Africa, and the Middle East. Attackers (assessed with medium confidence as Russian-aligned, including APT29 and clusters UTA0304/UTA0307) use messaging apps and spoofed Microsoft Teams invites to trick victims into entering device codes, capture access/refresh tokens (and in later activity obtain PRTs via the Microsoft Authentication Broker client ID and device registration) to access Microsoft 365 accounts, search/exfiltrate messages and documents, move laterally, and maintain persistence; recommended mitigations include blocking device code flow, enabling phishing-resistant MFA, and applying least privilege.