Storm-2372: Russian APT Using Device Code Phishing in Advanced Attacks

A newly uncovered cyber campaign led by the Russian state-backed group Storm-2372 is exploiting device code phishing to bypass Multi-Factor Authentication (MFA) and infiltrate high-value targets. This highly targeted tactic represents an escalation in the use of social engineering to defeat even advanced security systems. The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections.

What Is Device Code Phishing?

Device code phishing takes advantage of the OAuth device authorization flow, which is typically used by devices with limited input capabilities. While originally designed for ease of use, attackers have weaponized this feature for stealthy intrusions.

Device code phishing attack sequence

In a typical scenario, cybercriminals:

• Send phishing messages (email or SMS) urging the target to use a device code for authentication.
• Guide them to a real login page like Microsoft’s portal.
• Trick them into entering an attacker-generated device code, believing it’s legitimate.

Once the unsuspecting user inputs the code and grants access, the attacker gains illegal access to the victim’s corporate account. Notably, this access is achieved without triggering traditional MFA challenges, making detection significantly harder.

These types of attacks are highly deceptive because they rely on trusted authentication interfaces. Victims often don’t realize they’re compromised until it’s too late.

Who Is Being Targeted?

Storm-2372 is directing its efforts at sectors with valuable, sensitive data and high-stakes decision-making influence. Their targets span a wide range of industries and geographies, with a particular focus on strategic, economic, and military assets. The affected sectors include:

• Government & Public Sector: Espionage, intelligence theft
• Technology & IT Services: Cloud service exploitation
• Financial Institutions: Credential theft, fraud risks
• Defense & Aerospace: National security threats
• Healthcare & Pharmaceuticals: Patient data breaches
• Media & Communications: Launching disinformation campaigns

This campaign has left digital footprints in several countries, including the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.

Key Indicators of Compromise (IoCs)

To detect and mitigate potential breaches early, cybersecurity teams should remain alert for the following indicators:

• Unrecognized OAuth authorization attempts from unexpected apps or locations
• Phishing messages featuring device codes with urgent or unusual authentication requests
• Login activity anomalies, such as logins from IP addresses not associated with the organization or its known geographies
• Access logs showing persistent sessions despite recent password changes

Reviewing endpoint and cloud access logs frequently can help uncover suspicious behavior tied to OAuth abuse.

For a detailed technical breakdown of this attack method, refer to Black Hills InfoSec’s analysis of dynamic device code phishing.

Mitigation Strategies

To defend against device code phishing attacks, organizations should consider implementing the following security measures:

• Enable Conditional Access Policies – Restrict access based on device compliance and location.
• Monitor OAuth Token Requests – Regularly audit third-party OAuth app permissions.
• Deploy Phishing-Resistant MFA – Use FIDO2 security keys instead of SMS-based MFA.
• Educate Employees – Conduct security awareness training on phishing threats.

Conclusion: Staying Ahead of Identity-Based Threats

The Storm-2372 campaign exemplifies a dangerous shift in threat actor sophistication, particularly in how authentication flows are being exploited. Organizations must evolve in tandem, not only deploying modern security tools but also nurturing a culture of security awareness and responsiveness.

At SOCRadar, we emphasize an intelligence-driven approach to cybersecurity, enabling organizations to preempt threats before they escalate. By integrating phishing-resistant MFA, continuously monitoring for anomalous behavior, and enforcing stringent access controls, businesses can substantially reduce their attack surface.

Identity & Access Intelligence, SOCRadar XTI platform

As identity becomes the new perimeter, vigilance is paramount. Cyber threats are growing more covert and adaptive – staying informed, maintaining proactive defense mechanisms, and fostering organizational resilience is now non-negotiable.