Suspected Russian threat actors have found a new way to gain unauthorized access to Microsoft 365 (M365) accounts by exploiting the legitimate Device Code Authentication feature, security researchers revealed.
The attacks, first detected in August 2024, specifically target government organizations, NGOs, and various industries. The attackers pose as US, Ukrainian, and EU government officials or researchers to engage with targets through social media and messaging apps.
How the Attack Works
The attackers initiate contact by inviting targets to Microsoft Teams meetings, external M365 applications, or secure chatrooms. They then send fake email invitations directing victims to Microsoft's device authentication page.
When targets enter the provided code along with their credentials, the attackers capture the generated access and refresh tokens, gaining persistent access to the victim's M365 account. The compromised accounts are then used to search for sensitive information and spread the attack to other organizational users.
Why It's Effective
The attack's high success rate stems from several factors:
- Phishing emails lack traditional malicious indicators like suspicious links
- The authentication process uses legitimate Microsoft domains
- The compromise appears as legitimate activity in M365 logs
Prevention and Detection
Organizations can protect themselves by:
- Creating conditional access policies to block device code authentication
- Monitoring Microsoft Entra ID sign-in logs for suspicious authentication patterns
- Watching for specific URLs associated with device code authentication
If compromise is suspected, simply changing passwords won't help - organizations must revoke the user's refresh tokens to remove attacker access.
The discovery highlights how threat actors continue to adapt their tactics, using legitimate features in unexpected ways to bypass security measures.