Alleged Russian hackers attack worldwide sectors by posing as famous people on Teams, WhatsApp, & Signal

They tricked users into entering legitimate device codes on apps

Home » News

Reading time icon 2 min. read

Calendar icon Published on

by Rafly Gilang 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Suspected Russian hackers used “device code” phishing to steal data from critical infrastructure worldwide.
  • They posed as important figures on Teams, WhatsApp, and Signal to trick users into entering device codes.
  • The attacks targeted sectors like government, telecom, and energy across multiple continents.
Hacker, deepfake illustration

Suspected Russian hackers have launched a series of “device code” phishing attacks targeting critical infrastructure organizations worldwide, according to recent research.

The group, tracked as Storm-2372, tricked users into entering legitimate device codes on productivity app login pages, allowing them to capture authentication tokens and move laterally within networks to steal sensitive data.

The attacks targeted governments, IT services, and organizations in the telecom, health, education, and energy sectors across Europe, North America, Africa, and the Middle East. Researchers believe the group is aligned with Russian state interests.

According to Microsoft, the hackers posed as important figures on messaging platforms like Microsoft Teams, WhatsApp, and Signal to build trust with their targets. They then sent phishing emails disguised as Microsoft Teams meeting invites, tricking users into entering a device code that granted the attackers access.

“They’ve been successful in these attacks, though Microsoft itself is not affected,” said Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy.

Once inside, the hackers used valid tokens to move through compromised networks and scrape emails using Microsoft Graph, searching for sensitive information like usernames, passwords, and administrative credentials.

The phishing attacks were also observed by cybersecurity firm Volexity, which noted similar tactics being used by other Russian state-aligned groups. The threat actors reportedly sent messages posing as high-ranking officials to lure victims into entering device codes, granting access to their accounts.

Microsoft warned that the stolen tokens could enable persistent access as long as they remain valid.

“The threat actor then uses this valid session to move laterally within the newly compromised network by sending additional phishing messages containing links for device code authentication to other users through intra-organizational emails originating from the victim’s account,” the Redmond tech giant continues.

Ouch.

Rafly Gilang

Rafly Gilang Shield

Tech Reporter

Rafly is a reporter with years of journalistic experience, ranging from technology, business, social, and culture. Currently reporting news on Microsoft-related products, tech, and AI on MSPowerUser. Got a tip? Send it to [email protected]

User forum

0 messages