CyberheistNews Vol 15 #18 | May 6th, 2025
[Eye Opener] Sneaky New Attack. What is Device Code Phishing?
By Roger Grimes
Ever since Microsoft's initial announcement on February 13, 2025, about a Russian nation-state phishing campaign using "device code phishing," many people have been wondering what it is.
This post will tell you what device code phishing is and how to defend against it. Here are some other related reports involving the recently reported device code phishing attacks:
- Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
- The Growing Threat of Device Code Phishing and How to Defend Against It
- Storm-2372: Russian APT Using Device Code Phishing in Advanced Attacks
What Is a Device Code?
I almost hate the term — device code. It's not very distinctive. All authentication codes are sent to devices. The difference here is that what is being authenticated is the device, so that all future connections from the same device are treated as belonging to a particular user.
When you are using the same device, it must be you, or so the logic goes. Indirect user authentication.
Imagine you are trying to log into something on one device and in response, that system sends you a short code (usually six alphanumeric characters) to a second previously registered and authenticated device, your phone or portable device, to type into another login prompt on the first device, and once you do, you are authenticated and logged in. It sounds like something we do all the time when trying to log into somewhere.
Many of us do this as part of some "one-time password" (OTP) multi-factor authentication login, but device code authentication is slightly different. First, this login is tied to your devices. Most OTPs, although they could be "bound" to your device, are directly authenticating the user. It is user authentication-focused.
Note: Many advanced user authentication solutions involve looking at, identifying and authenticating a device that you are using. When you logon using what the authentication service thinks is the same device the authentication solution assigns more trust to your logon.
Device codes focus on authenticating your device ID, and indirectly you, because of your particular device. With device code authentication, once you have entered in the code (on your second device), the first device involved becomes bound to the service requesting the authentication and you will not be asked to re-authenticate on the first device or you as a user again (at least for some set period of time).
Many of us are familiar with device codes, even if we do not know them by that name. If you have ever tried to answer a newly presented login prompt to an existing subscribed to streaming channel (e.g., Netflix, Max, Apple TV, etc.) on your TV, instead of having to type all your logon information in on the TV…one painful arrow…arrow…select keystroke at a time…the service likely sent you a code that you had to type in, instead, that then automatically logged you into your stream service and never bothered you again on that same device (i.e., TV).
If you have done that, you have experienced a form of device code authentication.
[CONTINUED] Blog post with Screenshots, examples, and links:
https://blog.knowbe4.com/what-is-device-code-phishing
Ridiculously Easy AI-Powered Security Awareness Training and Phishing
Phishing and social engineering is the #1 cyber threat to your organization. 68% of all data breaches are caused by human error.
Join us for a live demonstration of KnowBe4 in action. See how we safeguard your organization from sophisticated social engineering threats using the most comprehensive human risk management platform.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Artificial Intelligence Defense Agents allows you to personalize security training, reduce admin burden and elevate your human risk management strategy
- NEW! SmartRisk Agent provides actionable data and metrics to help you lower your organization's human risk score
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.
Date/Time: TOMORROW, Wednesday, May 7, @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2
A Sneaky T-Mobile Scam and Lessons That Were Learned
A friend of mine got a call on his phone and he regrettably picked it up. The number was 267-332-3644. The area code is from Bucks County, PA, where he used to live many years ago.
But since his multiple anti-scam phone filter apps did not flag the number as a scam, and it was from a place he used to live, he picked it up.
The caller was so heavily accented that he almost could not understand what was being said, but he heard enough to understand this: It was supposedly T-Mobile, his current mobile phone carrier, calling to offer him a six-month 30% discount and a free electronic device because he has been such a good customer.
Yes, we have all heard of this scam many times before, but what was different was that they were able to tell him his account number, login name, phone numbers, address, the last two months of phone bill amounts and knew that his wife had a line that was also on the bill. With that, he believed he was talking to T-Mobile support.
Note: Whoever he was talking to could have obtained this information from many different sources, hacked or leaked. Anything they told him could be found on his bills.
In order to confirm his 30% discount, they needed his account PIN. Most cell phone and cable services now have a four-digit numeric PIN that customers must repeat to make account changes. Lucky for him, he did not remember it.
No problem, the (fake) T-Mobile reps would send him a one-time password (OTP) code to his phone that he could repeat to them, which they could accept instead of the PIN. And sure enough, moments later, T-Mobile (the real T-Mobile) sent him a text message.
[CONTINUED] At The Knowbe4 Blog:
https://blog.knowbe4.com/sneaky-t-mobile-scam-and-lessons-learned
FAIK Everything: The Deepfake Playbook, Unleashed
Brace yourself for a mind-bending journey into the world of digital deception! Generative AI is unleashing deepfakes so dangerously convincing they can manipulate even your most vigilant defenders.
These aren't just Hollywood special effects anymore — they're the latest weapon in the cybercriminal's arsenal, already targeting your organization's vulnerabilities!
Join us for this heart-stopping webinar where Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, rips the mask off the alarming rise of AI-powered social engineering. Whether you're a security leader, red teamer, risk manager or anyone responsible for keeping your organization safe in this brave new world, this session is your ticket to staying ahead of the curve.
In this eye-opening webinar, you'll witness:
- Exclusive, jaw-dropping demos of deepfake tech in action — including video impersonations, voice cloning and synthetic crisis scenarios
- Analysis of recent high-profile cases where synthetic media has been weaponized
- An insider look at the AI deception tools and techniques being deployed by sophisticated threat actors today
- "Adversarial thinking" strategies to identify your most vulnerable attack surfaces
- Organizational strategies to build resilience against narrative manipulation at scale
Don't let your organization become the next victim of a deepfake disaster! Attend this crucial webinar and arm yourself with the knowledge to outsmart even the most convincing AI tricksters and earn CPE credit for attending!
Date/Time: Wednesday, May 14 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot:
https://info.knowbe4.com/faik-everything?partnerref=CHN
Exciting Leadership Updates at KnowBe4
KnowBe4 has a new CEO!
I am excited to welcome Bryan Palma as our new CEO who will lead the company into our next phase of growth. I am transitioning to my new role as Executive Chairman, where I will continue to guide our AI innovation efforts.
The future is incredibly bright for KnowBe4 and as the human risk management leader we must double down on extending our data platform and winning with agentic artificial intelligence. We will take KnowBe4 to new heights!
Blog post with links:
https://blog.knowbe4.com/exciting-leadership-updates-at-knowbe4
Critical Capabilities When Evaluating Human Risk Management Platforms
Human Risk Management (HRM) is more than just the next step in security awareness training (SAT) — it's a fundamental shift in how organizations approach human security risks.
A more innovative, proactive approach is required. One that provides real-time guidance to employees to mitigate an attack before it succeeds while also providing training at the moment of risky behavior. This is why real-time security coaching has emerged as a powerful two-pronged mitigation strategy for stopping these attacks.
Download this whitepaper to understand:
- The difference between security awareness training and human risk management
- How HRM platforms take a data-driven approach to human cyber risk
- The key capabilities to allow an HRM platform to identify, quantify and mitigate human risk effectively
Download Now:
https://info.knowbe4.com/whitepaper/evaluating-human-risk-management-platforms-chn
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.
PS: KnowBe4 Releases Q1 2025 Phishing Report, With Internal Communications Dominating:
https://www.prnewswire.com/news-releases/knowbe4-releases-q1-2025-phishing-report-with-internal-communications-dominating-302439264.html
PPS: Your KnowBe4 Fresh Content Updates from April 2025:
https://blog.knowbe4.com/knowbe4-content-updates-april-2025
- Warren Buffett - Investor (born 1930)
- Galileo Galilei - Astronomer (1564 - 1642)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-18-eyeopener-sneaky-new-attack-what-is-device-code-phishing
Cybercriminals Impersonate DHS Amid Deportation Efforts
Researchers at INKY warn that criminals are impersonating the U.S. Department of Homeland Security to launch phishing scams.
The crooks are taking advantage of heightened emotions and tensions surrounding the Trump Administration's deportation efforts. Some of the phishing emails reference a recent executive order on immigration, while others attempt to trick users into believing they have a stake in unclaimed funds.
The phishing sites are designed to filter out security crawlers and researchers, making them more likely to reach users who will fall for the scam. "When we visited the link associated with the first example, departmentimmigration [dot]info, it actually redirected us to the official website of the U.S. Citizenship and Immigration Services which is a department within DHS," INKY explains.
"When we tried the second link, departmentimmigration[.]life, we were greeted with a 403 Forbidden message which means that the server understood the request but was refusing to fulfill it. Because of this, we believe that this phishing campaign could be a targeted phishing technique often referred to as host-based cloaking or IP-targeted phishing.
"This type of attack ensures that only users from a specific hostname, IP range or even device fingerprint see the malicious content." INKY says users should be on the lookout for red flags associated with phishing emails, especially regarding emails designed to convey a sense of urgency.
"Be leery of links and look closely at the domains," the researchers write. "Official U.S. government domains usually end in .gov or .mil rather than .com or another suffix. In this case, it should be a red flag to the email recipients that none of these sender email addresses, domains, or links came from an address that ended in .gov or .mil."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/cybercriminals-impersonate-dhs-amid-deportation-efforts
Phishing is the Top Initial Access Vector in Cloud-Specific Attacks
Phishing is the top initial access vector for cloud environments, according to Mandiant's latest M-Trends report. Email phishing was used to gain initial access in 39% of attacks against cloud assets in 2024. Phishing was followed by stolen credentials at 35%, SIM swapping at 6%, and voice phishing (vishing) at 6%.
Most of these attacks involved some form of social engineering. Mandiant notes that one threat actor tracked as UNC3944 used vishing to trick employees into granting access before deploying ransomware.
"UNC3944 used persistent social engineering techniques to gain access to targeted organizations, often calling service desks and convincing staff to reset passwords and multi-factor authentication (MFA) methods, including for privileged accounts," the researchers explain.
"After obtaining access, Mandiant observed UNC3944 use a number of techniques to manipulate cloud hosted systems and services. The threat actor abused single sign on (SSO) solutions, for example assigning a compromised account to every application linked to an SSO instance, expanding the scope of the intrusion beyond on-premises infrastructure to cloud and SaaS applications."
A majority of cloud-focused attacks led to data exfiltration, and an increasing number of threat actors have financial motives.
"In terms of objectives, data theft was observed in nearly two-thirds of cloud compromises (66%)," Mandiant says. "Over a third of cases (38%) served financially motivated goals, including data theft extortion without ransomware encryption (16%), business email compromise (BEC) (13%), ransomware (9%), as well as cryptocurrency theft and employment fraud."
Mandiant also warns of an increase in infostealers designed to steal credentials, which can be used in follow-on attacks. "Threat actors introduce infostealers using a variety of deceptive tactics," the researchers write.
"Phishing emails are a common method that involves using malicious attachments disguised as legitimate files or malicious links that lead to compromised websites or files hosting the malware. Compromised websites can also trigger drive-by downloads to automatically install the infostealer, sometimes using exploit kits to compromise browser or plugin vulnerabilities.
"Infostealers may also be bundled with infected software downloads from untrusted sources or included in trojanized versions of legitimate software. Finally, attackers use social engineering to manipulate users into downloading or installing the malware."
Mandiant has the story:
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025
What KnowBe4 Customers Say
"I just wanted to relay to you what an epic experience I had with your rep Alan Arnett. I first met with him last year in October to go over the dashboard and my visions for what threat training I wanted to be made available for the organization prior to the upcoming holidays. Not only did Mr. Arnett make time for my unconventional schedule (outside of 8-5), but he also truly listened to my needs. The package he delivered was spectacular — like I had put it together myself!
I've been in the IT industry for about 30 years now, much of it in customer support. I give credit where it is due, and this young man deserves every bit of credit I've given. Thank you for your time."
- G.M., Help Desk Administrator
- Hundreds of Fortune 500 companies have hired North Korean operatives:
https://blog.knowbe4.com/hundreds-of-fortune-500-companies-have-hired-north-korean-operatives - France ties Russian APT28 hackers to 12 cyberattacks on French orgs:
https://www.bleepingcomputer.com/news/security/france-ties-russian-apt28-hackers-to-12-cyberattacks-on-french-orgs/ - FBI shares massive list of 42,000 LabHost phishing domains:
https://www.bleepingcomputer.com/news/security/fbi-shares-massive-list-of-42-000-labhost-phishing-domains/ - The one interview question that will protect you from North Korean fake workers:
https://www.theregister.com/2025/04/29/north_korea_worker_interview_questions/ - Millions of Apple Airplay-enabled devices can be hacked via Wi-Fi:
https://arstechnica.com/security/2025/04/millions-of-apple-airplay-enabled-devices-can-be-hacked-via-wi-fi/ - Chinese threat actors are testing out AI tools in every stage of attacks:
https://www.theregister.com/2025/04/29/fbi_china_ai/ - The organizational structure of ransomware threat actor groups is evolving before our eyes:
https://www.coveware.com/blog/2025/4/29/the-organizational-structure-of-ransomware-threat-actor-groups-is-evolving-before-our-eyes - Third of Online Users Hit by Account Hacks Due to Weak Passwords:
https://www.infosecurity-magazine.com/news/third-online-users-hacks-passwords/ - Phishing attacks that defeat MFA are easier than ever. So what are we to do?:
https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/? - [Terminator News] China hosts world's first robots vs humans half-marathon:
https://youtu.be/hHBPt79oNwI
- Virtual Vaca #1 - Winter Camping at America's Deepest Lake - Crater Lake National Park:
https://youtu.be/QU-0ULajqGw - Virtual Vaca #2 to At-Turaif: The Birthplace of Saudi Arabia [Amazing Places 4K]:
https://youtu.be/UDTaTW-2jcU - Bonus Vaca: Cyprus Circus - A Tilt-Shift Journey through the miniaturized Island:
https://youtu.be/uLO1fP2TZ2c - Best talents of the month. Epic skills you have to see:
https://www.flixxy.com/best-talents-of-the-month-epic-skills-you-have-to-see.htm?utm_source=4 - Aren't you glad to see me, Atlas? | Boston Dynamics:
https://youtu.be/dFObux6mfTc - Sebastian Alvarez - Wingsuit Precision Flight VIVA CHILE!:
https://youtu.be/uRGaIK51LWc - Jandro EXPLAINS THE CODE in Penn and Teller's Fool Us:
https://www.flixxy.com/jandro-breaks-the-code-penn-uses-on-fool-us.htm?utm_source=4 - [FUN] I Trained Like A NASA Astronaut:
https://youtu.be/x4380T-MNx0 - Why Europe is Building a $34BN Transport Mega-Hub
https://youtu.be/wbV6f5G90AY - For Da Kids #1 - Pamper day for George the lion:
https://youtu.be/A_mYmsrhsLM - For Da Kids #2 - He Sprung Into Action to Rescue A Cow from a Cliffside:
https://youtu.be/c5FQUqDRxb4?si=F0DgHhalGnzvXQ4x - For Da Kids #3 - Wild Birds Come By To Shake Her Hand Every Day:
https://youtu.be/FOLGLj9mx-I - For Da Kids #4 - Rescue Pit Bull Finds Unlikely Best Friend in a Donkey:
https://youtu.be/3kq04TvlF3g - For Da Kids #5 - Baby Peacock Raised By A Chicken Is Like Her "Mom":
https://youtu.be/kVBidwgcKK4
