Storm-2372: Sophisticated Phishing Campaign Detected

A Widespread Cyber Threat Emerges

Microsoft Threat Intelligence has identified a dangerous new cyber threat known as Storm-2372, raising alarms about security risks in multiple industries. This ongoing cyber attack, which has been active since August 2024, is targeting organizations in government, defense, IT services, telecommunications, healthcare, higher education, and the energy sector. The attacks have been detected across Europe, North America, Africa, and the Middle East, making it a widespread global threat.

Cybersecurity analysts have linked Storm-2372 with Russian-aligned interests based on the victims it targets, the hacking techniques used, and the overall strategy behind the attacks. Instead of relying on traditional hacking methods like malware or brute force attacks, Storm-2372 mainly uses deception to trick people into giving up access to their accounts.

One of the main tactics used by the attackers is to contact victims through popular messaging apps like WhatsApp, Signal, and Microsoft Teams. They pose as high-profile or influential figures relevant to the victim’s work, making their messages appear trustworthy and convincing. Once trust is established, the hackers launch their attack, stealing login credentials and accessing sensitive data.

How the Storm-2372 Attack Works

Storm-2372 uses a phishing method called “device code phishing”, which is more advanced and harder to detect than traditional phishing attacks. Instead of tricking users into entering their passwords on a fake website, this attack steals authentication tokens, which are used to access online accounts. These tokens act like digital keys, allowing attackers to enter accounts without needing passwords.

The attack follows a carefully planned process:

Fake Invitations: The victim receives an email or message disguised as an official Microsoft Teams meeting invitation. The message looks legitimate, making it difficult to suspect any malicious intent.

Manipulating the User: The email asks the recipient to click a link that takes them to a legitimate Microsoft login page. It instructs them to enter a special device code, claiming this step is necessary to join the meeting.

Stealing Authentication Tokens: When the victim enters the device code, the attackers capture their authentication tokens. These tokens grant access to the victim’s Microsoft account, including emails, cloud storage, and confidential files.

Spreading the Attack: Once inside the compromised account, hackers send similar phishing messages to other employees within the organization, tricking more users and expanding their access.

Stealing Sensitive Data: Attackers use Microsoft’s Graph service to search through emails and messages for keywords such as username, password, credentials, admin, ministry, secret, and gov. They collect any message containing these words and send it to themselves.

Unlike traditional cyber attacks that rely on hacking passwords, Storm-2372 bypasses password protection entirely by exploiting authentication tokens. If these tokens remain valid, attackers can continuously access sensitive systems for an extended period, even after changing passwords.

Preventing and Reducing the Risk against Storm-2372

To defend against Storm-2372, cybersecurity experts recommend several protective measures:

Blocking device code authentication: Organizations should disable device code sign-ins wherever possible. Since this attack relies on device codes, disabling them will prevent hackers from exploiting this method.

Using phishing-resistant multi-factor authentication (MFA): Multi-factor authentication (MFA) adds an extra layer of security, requiring users to verify their identity through fingerprints, security keys, or one-time passcodes. This makes it harder for hackers to gain access, even if they steal authentication tokens.

Applying the principle of least privilege: Employees should only have access to the information and systems necessary for their work. Restricting access reduces the risk of hackers moving through a network even if they compromise an account.

This attack highlights the growing risks of cyber threats in today’s digital world. Organizations must stay alert, educate employees, and strengthen security defenses to prevent such sophisticated cyberattacks.

TOP 10 TRENDING ON NEWSINTERPRETATION

Shocking Files Reveal Bill Clinton Letter in Epstein’s Infamous ‘Birthday Book’

Oversight Committee Releases New Epstein Records The House Oversight Committee...

McGregor channels Trump populism with Musk support in high-stakes Irish presidential race

In early September 2025, Ireland was taken by surprise...

Federal authorities seize $3 million in crypto linked to ransomware that hit US hospitals

Federal authorities have seized nearly $3 million worth of...

Bernie Sanders backs Zohran Mamdani in New York City mayor race citing grassroots momentum

A major political figure has stepped into the New...

JPMorgan handled $1.1 billion for Jeffrey Epstein despite warnings of criminal ties and reputation risk

JPMorgan Chase, one of America’s biggest banks, had a...

Qualys confirms limited Salesforce data access during Drift hacking campaign raising security concerns

Hackers accessed some Salesforce information from risk management company...

Ashley Hinson sparks clash with Newsom after claiming America should look more like Iowa

A sharp political exchange has broken out after U.S....

WSJ report says malware email linked to Chinese group aimed at U.S. tariff negotiations

U.S. authorities are investigating a suspicious email that carried...

Newsom mocks Rose Garden “Predator Patio” while millions face health care cuts

A political storm erupted after a freshly renovated section...

Related Articles

Popular Categories

error: Content is protected !!