Russian Threat Actors Exploit Microsoft Device Code Authentication for MS365 Access

Sophisticated cyberattacks by suspected Russian threat actors have been discovered, taking advantage of a legitimate Microsoft authentication method to compromise Microsoft 365 (M365) accounts. This method, known as Device Code Authentication, has historically been used for secure sign-in on devices that lack direct input capabilities, but it is now being misused by threat actors for unauthorized access.

Threat analysts from Volexity report that these actors are employing this method with significant success, surpassing the effectiveness of previous social engineering and spear-phishing attempts. The attackers have been covertly targeting government organizations, non-governmental organizations, and various industries across multiple regions.

The Attack Process from the Victim’s Perspective

Volexity and Microsoft have identified multiple campaigns where these Russian threat actors impersonate officials from the US, Ukraine, and EU, as well as researchers from reputable institutions, primarily through social media platforms like Signal.

“These communications often carry different themes; however, they all lead to the attacker inviting the targeted individual to join a Microsoft Teams meeting, gain access to an application as an external M365 user, or participate in a chatroom on a secure application like Element,” Volexity researchers explained.

The attack progresses with the victim receiving a fraudulent invitation that directs them to https://microsoft.com/devicelogin, which redirects to https://login.microsoftonline.com/common/oauth2/deviceauth. This is the Microsoft Device Code Authentication page where users are instructed to enter a code provided in the email to authenticate.

Once the victim enters their credentials, including a second authentication factor if required, the threat actor captures the access and refresh tokens generated, allowing them to gain and maintain access to the victim’s M365 account.

Subsequently, these actors may search through the victim’s emails for key phrases like “password,” “admin,” or “secret,” and exfiltrate sensitive documents. They also send phishing messages from the compromised account to other members of the organization, further extending their access.

Understanding the Legitimate Device Code Authentication Workflow

Microsoft’s Device Code Authentication workflow is designed to allow users to sign in to devices with limited input capabilities. The process requires the user to visit a webpage on another device to authenticate themselves, after which the original device receives access and refresh tokens.

“While this feature enhances usability, its misuse by threat actors poses a significant security risk,” notes a cybersecurity expert. “Users and organizations are encouraged to be vigilant and aware of how this legitimate process can be exploited.”

The attacks are successful due to several factors:

• Phishing emails lack malicious links or attachments, making them less suspicious.
• The technique leverages a legitimate Microsoft service, making it easier to evade detection.
• Compromises are hard to spot, as attackers appear in legitimate sign-in logs.

This type of attack may not be novel, but it has been underutilized by threat actors until now. Its low profile has left many organizations unprepared.

Mitigation Steps and Detection Tips

To safeguard against these attacks, organizations can implement conditional access policies that block Device Code Authentication entirely. However, this step is only feasible if the organization does not rely on this feature for legitimate authentication needs.

“For those organizations that require Device Code Authentication, continuous monitoring of sign-in logs for specific values is crucial,” advises Volexity. These values include “authenticationProtocol”: “deviceCode” and “originalTransferMethod”: “deviceCodeFlow”.

Monitoring URLs accessed by users can also help detect phishing attempts. Specifically, the appearance of https://login.microsoftonline.com/common/oauth2/deviceauth, https://www.microsoft.com/devicelogin, or https://aka.ms/devicelogin may indicate malicious activity.

“If device code phishing is suspected, revoke the user’s refresh tokens by calling revokeSignInSessions,” Microsoft advises. Changing passwords alone is insufficient as attackers have both access and refresh tokens.

Volexity has shared indicators of compromise associated with these campaigns, available on their GitHub page.

Conclusion

This emerging threat underscores the importance of staying vigilant against evolving cyberattacks. By understanding how threat actors exploit legitimate services like Device Code Authentication, organizations can better prepare and protect their M365 accounts.

For further security measures and updates, subscribe to our newsletter or follow us on social media to receive the latest news and insights. Your organization’s cybersecurity is paramount, and proactive steps are necessary to stay ahead of potential threats.

We encourage you to share your thoughts and experiences in the comments below.