Listen to this Post
2025-02-14
Microsoft has highlighted a new and alarming cyber threat cluster, named Storm-2372, which has been actively targeting various sectors since August 2024. The attacks have been widespread, affecting organizations across government, NGOs, IT services, defense, telecommunications, healthcare, education, and energy industries. With signs pointing to an actor with likely ties to Russian interests, these sophisticated campaigns employ a novel form of phishing technique—device code phishing. The attackers have exploited messaging platforms like WhatsApp, Signal, and Microsoft Teams to initiate the attacks.
the Storm-2372 Threat
The Storm-2372 group has been observed using a variety of methods to infiltrate their targets, including posing as trusted individuals in messages. Once they establish trust, the attackers deploy a phishing technique known as device code phishing, which tricks users into logging into productivity apps. By capturing authentication tokens during this process, the attackers gain access to accounts, often without needing passwords.
Once a valid session is hijacked, the attackers can access a wide range of services tied to the compromised account, including email and cloud storage. They can also move laterally within a network, sending phishing messages to others inside the compromised organization. Through the use of the Microsoft Graph service, the attackers are able to search and extract sensitive information from the targeted accounts, focusing on keywords like “username,” “password,” and “credentials.”
Microsoft has advised organizations to block device code flow where possible, implement phishing-resistant multi-factor authentication (MFA), and follow the principle of least privilege to reduce risks from this threat.
What Undercode Says:
Undercode, an authoritative voice on cybersecurity issues, brings attention to the fact that Storm-2372 represents an evolution in cyberattack techniques, blending both social engineering and sophisticated credential theft methods to bypass traditional security measures. The use of device code phishing is a particularly concerning strategy, as it exploits a legitimate authentication flow that many organizations assume is secure.
While attackers previously relied on traditional phishing emails with malicious links, Storm-2372’s approach is more subtle and effective. By masquerading as someone relevant or trusted, the attacker builds enough rapport to entice the target into compromising their own login credentials. This advanced form of phishing takes advantage of the vulnerabilities inherent in how authentication codes are used to gain access to various enterprise applications. It’s a testament to the growing sophistication of cyber threats.
The key danger in this kind of attack is the ease with which attackers can escalate their access within an organization. Once the attacker hijacks a user’s authenticated session, they not only access that person’s data but can move laterally across the organization, potentially accessing sensitive data from other departments. This can include proprietary business information, classified government data, or critical infrastructure details, all of which could cause irreparable damage if exposed.
The Storm-2372 group’s use of the Microsoft Graph service for targeted searches shows that cybercriminals are getting more precise in their strategies. No longer are they simply casting a wide net and hoping for a lucky break; now they are zeroing in on highly specific, sensitive information that can help further their objectives, such as administrative credentials and government-related details. This represents a shift toward more strategic, high-value targets, rather than indiscriminate data theft.
Organizations must recognize that traditional security measures—such as basic password protection and simple multi-factor authentication—are no longer sufficient against threats like Storm-2372. It is critical to adopt more advanced, phishing-resistant MFA systems and enforce stricter access controls. The principle of least privilege, which ensures that users only have access to the data and systems necessary for their roles, is another critical layer of defense. By limiting access, organizations can reduce the potential damage if an account is compromised.
Another concerning aspect of this threat is its international scope. The attacks have affected sectors across Europe, North America, Africa, and the Middle East, indicating that the Storm-2372 group is likely operating with global objectives. This broad targeting strategy suggests that they are either state-sponsored or have substantial resources at their disposal, enabling them to conduct large-scale, multifaceted campaigns across multiple continents. Given the cross-border nature of modern cybercrime, a collaborative effort between international governments, private organizations, and cybersecurity firms is essential to combat these kinds of threats effectively.
Furthermore, organizations should not only rely on the usual response of patching vulnerabilities and updating software. While these practices are crucial, they should also focus on educating employees about the tactics used by cybercriminals, including how to recognize phishing attempts and avoid falling for seemingly legitimate requests for credentials. Cybersecurity is not just about technical defenses but also about fostering a security-conscious culture within the organization.
Ultimately, as cyber threats continue to evolve in sophistication, it is crucial that businesses and government bodies stay ahead of the curve. The Storm-2372 attacks demonstrate the need for a proactive and multifaceted approach to cybersecurity—one that goes beyond reactive measures and integrates cutting-edge defense strategies with comprehensive user education and awareness. By taking these steps, organizations can mitigate the risk posed by increasingly sophisticated adversaries in the digital age.
References:
Reported By: https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
https://www.discord.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




