The Download
Threat actors, suspected to be Russian, are leveraging Microsoft's Device Code Authentication mechanism to gain unauthorized access to Microsoft 365 (M365) accounts. This method involves social engineering tactics where attackers impersonate officials or researchers and engage targets via platforms like Signal. They send fake invitations containing links to Microsoft's legitimate device login page. When targets enter the provided code along with their credentials, attackers intercept the resulting access and refresh tokens, enabling persistent access to the victim's M365 account. This approach is particularly insidious as it exploits a legitimate authentication feature, making detection challenging.
What You Can Do
To defend against this threat, IT administrators should consider disabling Device Code Authentication if it's not essential for operations. If disabling isn't feasible, implementing conditional access policies to restrict its use to trusted devices or locations is advisable. Regular monitoring of sign-in logs for unusual authentication patterns, especially those involving device code flow, can aid in early detection. Educating users about this specific phishing technique is crucial, emphasizing the importance of verifying unexpected authentication requests and being cautious with unsolicited communications.
Use ThreatMate to monitor your M365 tenants' attack surface. Sign up for a demo today.
To Learn More: