A Widespread Cyber Threat Emerges
Microsoft Threat Intelligence has identified a dangerous new cyber threat known as Storm-2372, raising alarms about security risks in multiple industries. This ongoing cyber attack, which has been active since August 2024, is targeting organizations in government, defense, IT services, telecommunications, healthcare, higher education, and the energy sector. The attacks have been detected across Europe, North America, Africa, and the Middle East, making it a widespread global threat.
Cybersecurity analysts have linked Storm-2372 with Russian-aligned interests based on the victims it targets, the hacking techniques used, and the overall strategy behind the attacks. Instead of relying on traditional hacking methods like malware or brute force attacks, Storm-2372 mainly uses deception to trick people into giving up access to their accounts.
One of the main tactics used by the attackers is to contact victims through popular messaging apps like WhatsApp, Signal, and Microsoft Teams. They pose as high-profile or influential figures relevant to the victim’s work, making their messages appear trustworthy and convincing. Once trust is established, the hackers launch their attack, stealing login credentials and accessing sensitive data.
How the Storm-2372 Attack Works
Storm-2372 uses a phishing method called “device code phishing”, which is more advanced and harder to detect than traditional phishing attacks. Instead of tricking users into entering their passwords on a fake website, this attack steals authentication tokens, which are used to access online accounts. These tokens act like digital keys, allowing attackers to enter accounts without needing passwords.
The attack follows a carefully planned process:
Fake Invitations: The victim receives an email or message disguised as an official Microsoft Teams meeting invitation. The message looks legitimate, making it difficult to suspect any malicious intent.
Manipulating the User: The email asks the recipient to click a link that takes them to a legitimate Microsoft login page. It instructs them to enter a special device code, claiming this step is necessary to join the meeting.
Stealing Authentication Tokens: When the victim enters the device code, the attackers capture their authentication tokens. These tokens grant access to the victim’s Microsoft account, including emails, cloud storage, and confidential files.
Spreading the Attack: Once inside the compromised account, hackers send similar phishing messages to other employees within the organization, tricking more users and expanding their access.
Stealing Sensitive Data: Attackers use Microsoft’s Graph service to search through emails and messages for keywords such as username, password, credentials, admin, ministry, secret, and gov. They collect any message containing these words and send it to themselves.
Unlike traditional cyber attacks that rely on hacking passwords, Storm-2372 bypasses password protection entirely by exploiting authentication tokens. If these tokens remain valid, attackers can continuously access sensitive systems for an extended period, even after changing passwords.
Preventing and Reducing the Risk against Storm-2372
To defend against Storm-2372, cybersecurity experts recommend several protective measures:
Blocking device code authentication: Organizations should disable device code sign-ins wherever possible. Since this attack relies on device codes, disabling them will prevent hackers from exploiting this method.
Using phishing-resistant multi-factor authentication (MFA): Multi-factor authentication (MFA) adds an extra layer of security, requiring users to verify their identity through fingerprints, security keys, or one-time passcodes. This makes it harder for hackers to gain access, even if they steal authentication tokens.
Applying the principle of least privilege: Employees should only have access to the information and systems necessary for their work. Restricting access reduces the risk of hackers moving through a network even if they compromise an account.
This attack highlights the growing risks of cyber threats in today’s digital world. Organizations must stay alert, educate employees, and strengthen security defenses to prevent such sophisticated cyberattacks.
