Threat Actors Exploiting Microsoft Teams for Device Code Phishing Attacks

A sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams meeting invites to execute “device code phishing” attacks. The culprit? A threat actor identified as Storm-2372, which has been actively targeting high-profile organizations across various sectors worldwide.

A GLOBAL CAMPAIGN WITH HIGH-VALUE TARGETS

Storm-2372 has been conducting cyberattacks against governments, NGOs, IT services, defense, telecommunications, healthcare, education, and energy sectors. The affected regions span Europe, North America, Africa, and the Middle East.

According to Microsoft’s Threat Intelligence Center (MSTIC), there is medium-confidence alignment between Storm-2372 and Russian interests and tradecraft, making this a serious cybersecurity concern.

HOW DEVICE CODE PHISHING WORKS

Device code phishing exploits the OAuth 2.0 Device Authorization Grant flow (RFC 8628)—a mechanism originally designed for input-constrained devices such as smart TVs and IoT systems.

Legitimate users authenticate by entering a device code on a separate device with a better user interface. However, Storm-2372 manipulates this process to steal authentication tokens and gain unauthorized access.

The Attack Lifecycle

Generating a Device Code: Attackers use Microsoft’s API to create a legitimate device code request.
Sending Phishing Emails: Victims receive emails masquerading as Microsoft Teams meeting invites, prompting them to authenticate using the provided code.
Token Theft: Once the victim completes authentication, attackers intercept access and refresh tokens generated during the process.
Persistent Access: These stolen tokens enable long-term access to accounts, bypassing passwords and multi-factor authentication (MFA) as long as the tokens remain valid.

TECHNICAL BREAKDOWN OF THE ATTACK

Storm-2372’s attack methodology involves a mix of social engineering and API abuse to gain unauthorized access to sensitive information.

Impersonation on Messaging Apps: The attacker poses as a prominent figure on platforms like WhatsApp, Signal, and Microsoft Teams, gaining the victim’s trust.
Phishing Emails with Fake Teams Invites: Once rapport is built, a phishing email containing a malicious meeting invite is sent.
Device Code Submission: The victim enters an attacker-generated device code on a legitimate Microsoft sign-in page.
Token Interception & Data Extraction: Attackers retrieve the authentication tokens and access Microsoft Graph API to search for sensitive information.
o Keywords targeted include: “password,” “admin,” “credentials,” “TeamViewer,” “Anydesk,” “secret,” “ministry,” and “gov.””
Intra-Organizational Phishing: Using compromised accounts, attackers send phishing emails internally to expand their foothold.

EVOLVING TACTICS

Storm-2372 has recently adjusted its tactics, utilizing the Microsoft Authentication Broker client ID in the device code flow. This enables the theft of Primary Refresh Tokens (PRTs), which allow attackers to register rogue devices in Entra ID environments, facilitating long-term persistence.

HOW TO DEFEND AGAINST DEVICE CODE PHISHING ATTACKS

To mitigate the risk of such attacks, Microsoft recommends the following security measures:

Restrict Device Code Authentication

Block this authentication method unless absolutely necessary.
Enforce conditional access policies to limit exposure.

Employee Awareness & Training

Educate employees on recognizing phishing attempts.
Encourage users to verify unexpected authentication requests.

Revoke Compromised Tokens

If suspicious activity is detected, immediately revoke user refresh tokens using the revokeSignInSessions command.

Strengthen Authentication Security

Enforce Multi-Factor Authentication (MFA) and block risky sign-ins based on user behavior.
Adopt phishing-resistant authentication methods like FIDO tokens or passkeys instead of SMS-based MFA.

Monitor and Detect Threats

Use Microsoft Defender for Office 365 to detect phishing attempts in emails and malicious HTML files.
Entra ID Protection helps identify anomalous behaviors like activity from anonymous IP addresses or unusual token usage patterns.

WHY THIS MATTERS

This attack highlights the evolving landscape of cyber threats and the sophisticated techniques used by state-aligned threat actors. Organizations must prioritize robust identity protection, enforce strict access controls, and educate users to prevent falling victim to such attacks.

Cybersecurity is a continuous battle—staying informed and proactive is the best defense.

Stay Safe, Stay Vigilant

For more cybersecurity insights, follow our CyberTea series and keep your defenses strong against the latest threats.

TALK TO AN EXPERT

TALK NOW

TALK TO AN EXPERT

TALK NOW

Source:

https://cybersecuritynews.com/microsoft-teams-meeting-invite-abuse/

NIS2 Domain	Odyssey Technology/Service
Policies on risk analysis and information system security	- Cybersecurity Strategy Development - Security Policy Framework Development - Risk Assessment
Incident Handling	- Security Policy Framework Development - SIEM Platform + 24/7 SOC - Incident Response & Operational Recovery
Business Continuity (Backup, Disaster Recovery, Crisis Management)	- Security Policy Framework Development - Backup - Hardware for high availability - Data Loss Prevention (DLP) - Technology Resilience (TR)
Supply Chain Security (Relationship Management with Suppliers and Providers)	- Security Policy Framework Development - Penetration Testing - Vulnerability Scanning - Continuous Threat Exposure Management (CTEM)
Security in Network and Information Systems (Development, Maintenance, Vulnerability Handling)	- Security Policy Framework Development - Next Generation Firewall (NGFW) - Secure Access Service Edge (SASE) - Network Security & Architecture Design Audit - Network Segmentation - Penetration Testing - Vulnerability Scanning - Continuous Threat Exposure Management (CTEM)
Assessing Cybersecurity Risk-Management Effectiveness	- Security Policy Framework Development
Basic Cyber Hygiene Practices and Cybersecurity Training	- Information Security Awareness Platform - Information Security Awareness Training - Endpoint Security - Mobile Device Management (MDM) - Email Security - Patch Management
Cryptography and Encryption Policies	- Security Policy Framework Development - VPN - Password Manager - Database Auditing & Protection - Endpoint Security (including encryption)
Human Resources Security, Access Control, and Asset Management	- Security Policy Framework Development - Privileged Access Management (PAM) - Active Directory (AD) Services - Multi-Factor Authentication (MFA)
Multi-Factor Authentication and Emergency Communication Systems	- Security Policy Framework Development - Multi-Factor Authentication (MFA) - Secure Access Service Edge (SASE) - VPN

World Class Professional Services

MANAGED SERVICES

ADVISORY SERVICES

HYBRID INTEGRATED SOLUTIONS

NEWS & MEDIA

NEWSROOM

PRESS RELEASES

PUBLICATIONS

EVENTS

SUCCESS STORIES

CONTENT LIBRARY

WHITEPAPERS

DATASHEETS

BROCHURES

INFOGRAPHICS

VIDEOS

ODYSSEY BLOG

THREAT RESOURCES

NIS2 HUB

ABOUT US

ACHIEVEMENTS

TECHNOLOGY PARTNERS

CAREER

CONTACT US

Reach out our Team now

CyberTea: Episode 25

Threat Actors Exploiting Microsoft Teams for Device Code Phishing Attacks

RECENT POSTS

AI Adoption Without Data Governance Is a Compliance Risk Waiting to Scale

If You’re Finalizing Your 2026 Cybersecurity Budget, Here Are 3 Things NOT to Cut

What Growth Leaders Missed in Cybersecurity in 2025 and What to Reevaluate Before 2026

SIGN UP

Who We Are

Solutions & Services

Resources

Careers

Get in touch

NEWS & MEDIA

CONTENT LIBRARY

CONTACT US

CyberTea: Episode 25

Share

Threat Actors Exploiting Microsoft Teams for Device Code Phishing Attacks

RECENT POSTS

SIGN UP

Who We Are

Solutions & Services

Resources

Careers

Get in touch