The Russian state-sponsored advanced persistent threat operation, Storm-2372, has initiated sophisticated dynamic device code phishing attacks targeting various sectors, including government, defense, healthcare, finance, and technology.

Device code phishing exploits the OAuth device authorization flow, tricking users into providing access to their accounts by entering a special code on fraudulent login pages.

Once users input the fake code, hackers gain access to their accounts without needing a password, complicating detection of the breach until it is too late.

This group has advanced its methods by employing Dynamic Device Code Phishing, which allows the generation of new device codes and the creation of convincing fake websites that mimic legitimate login pages.

This technique enables hackers to obtain access tokens and refresh tokens, potentially granting them access to Microsoft email accounts for up to three months.

The phishing scheme has exploited CORS-Anywhere, allowing sustained access to compromised accounts while evading standard security measures.

Cybersecurity researchers at SOCRadar revealed that Storm-2372 can infiltrate online accounts without needing to guess passwords, further complicating the detection of their attacks.

Hackers send deceptive messages via email or text, prompting users to enter a device code on a fake login page that resembles legitimate services like Microsoft.

These attacks have been reported in multiple countries, including the U.S., Canada, Germany, Ukraine, Australia, and the UK, highlighting the global reach of this threat.

The group has been observed targeting valuable organizations globally, including those in the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.

The rise of these sophisticated phishing methods underscores the urgent need for organizations to adopt adaptive security measures to defend against evolving identity-based threats.

Experts emphasize the importance of adopting adaptive, context-aware defense mechanisms to combat identity-based threats that are increasingly evading traditional protections.