Several Russian threat actors, including the SVR’s Cozy Bear, are launching highly targeted spear phishing attacks against Microsoft 365 accounts, according to researchers at Volexity.
The attackers are impersonating employees at the US State Department, the Ukrainian Ministry of Defence, the European Union Parliament, and well-known research institutions.
The attacks use a technique called “Device Code Authentication,” which attempts to trick users into entering a code that grants access to their accounts. This login method is provided by Microsoft to facilitate sign-ins from input-constrained devices, like smart TVs or printers. “However, in this case, it means if an attacker can convince a user to enter a specific code into this dialogue (and log in), they are granted long-term access to the user’s account,” Volexity explains.
The researchers note, “This method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns.”
The attackers began by instigating conversations with the targets via email or messaging apps. After gaining the victim’s trust, they sent links that purportedly led to a Microsoft Teams meeting or a chatroom. These links took the victims to a Microsoft Device Code authentication page that asked them to enter a code.
In one case, the threat actor contacted a target via Signal, then asked them if they could move the conversation to a different chat application.
“The message was a ploy to fool the user into thinking they were being invited into a secure chat, when in reality they were giving the attacker access to their account,” the researchers write. “The generated Device Codes are only valid for 15 minutes once they are created. As a result, the real-time communication with the victim, and having them expect the ‘invitation,’ served to ensure the phish would succeed through timely coordination.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Volexity has the story.
With KnowBe4 Defend you can:
