Russia’s Storm-2372 Bypasses MFA Using Device Code Phishing | SecureThread Shorts

Threat Campaign Summary
Actor: Storm-2372 (Russia-linked)
Tactic: Device Code Phishing
Target Sectors: Government, Finance, Defense, Technology, Healthcare
Geographic Spread: Multi-national

Why It’s Dangerous
✅ Bypasses MFA, including hardware tokens and app-based verification

🕰️ Long-lived access due to refresh token abuse

👁️‍🗨️ Difficult to detect: Appears as "user-approved" OAuth flow

🌍 Can be executed remotely and at scale across cloud providers

🛡️ Mitigation Guidance
🔍 Detection:

Monitor OAuth token grant events

Detect anomalous device code flow authentication patterns

Track token reuse and geo-divergent logins

🔐 Prevention:

Disable device code flow if not explicitly needed

Enforce Conditional Access Policies (e.g., device compliance, location)

Revoke unused or excessive OAuth app permissions

Educate users to never input codes or credentials outside official login portals

📉 Containment:

Regularly rotate tokens and revoke suspicious sessions

Use Privileged Identity Management (PIM) to restrict persistent access

🧠 Key Insight:
Storm-2372 demonstrates that identity is the new perimeter. Bypassing MFA through legitimate OAuth mechanisms shows that even "secure" auth flows are vulnerable when user trust is manipulated. It reinforces the need for identity behavior analytics and continuous session validation.

#CyberSecurity #ThreatIntel #Storm2372 #MFABypass #Phishing #InfoSec #APT #AccessTokens #Microsoft