Researchers have discovered a persistent and continuous campaign of Russian spies that uses a smart phishing technique to hijack Microsoft 365 accounts of a wide range of goals, researchers warned.
The technology is known as a phishing of device code. It uses 'device code flow', a form of authentication formalized in the industrial Oauth standard. Authentication via device code stream is designed for logging printers, smart TVs and similar devices in accounts. These devices usually do not support browsers, making it difficult to register with more standard forms of authentication, such as entering user names, passwords and two -actor mechanisms.
Instead of directly authenticating the user, the entered device gives an alphabetical or alphanumeric device code together with a link that is linked to the user account. The user opens the link on a computer or other device that easier to log in and enter the code. The external server then sends a token to the entered device that registers it in the account.
Device authorization is based on two paths: one of an app or code that is performed on the entered device that is looking for permission to log in and the other from the device that uses the user normally to register.
A joint effort
Advice from both security company Volexity and Microsoft warn that threat factors who work on behalf of the Russian government abused this electricity since at least last August to take over Microsoft 365 accounts. The threat actors suspect as familiar, high-ranking officials and initiate conversations with a targeted user in a messenger app such as Signal, WhatsApp and Microsoft teams. Organizations that occur include:
