Overview:

Email security threats are constantly evolving. The latest intrusive and dangerous email phishing threat is known as device code phishing. In these attacks, cyber criminals target Microsoft 365 accounts to compromise email systems and to steal sensitive information.

Here's what to know:

Device code phishing exploits a common authentication flow used by devices with limited input options (like smart TVs or certain IoT devices). These devices often require for users to enter a device authentication code on another device (ex. smartphone or computer) in order to authenticate their identity.

However, cyber criminals are co-opting this process to deceive users into entering a code generated by the attacker. Ultimately, this provides attackers with unauthorized and unfettered access to accounts.

How does the attack work?

Tracked by Microsoft as Storm-237, the attackers typically target individuals who work within “high-value” sectors; government, defense, healthcare and energy.

1. Initial contact. Posing as a trusted person, the attackers first establish communication with their target via messaging platforms, like WhatsApp, Signal or Microsoft Teams.

2. Fake meeting invitation. After establishing trust, attackers send a fake meeting invitation that includes a device code. The target is prompted to enter the code on a legitimate sign-in page, unknowingly granting the attacker access to their Microsoft 365 account.

3. Email and data harvesting: Once access to the victim’s account has been gained, the attackers can collect valuable information, including files, emails and other sensitive information.

4. Token exploitation: The attackers leverage the stolen tokens to gain continuous access to Microsoft services, including email and cloud storage, without needing the victim’s password. The access remains valid until the stolen tokens expire.

Why this is a growing threat:

Cyber criminals have advanced their techniques by using specific client IDs that interact with Microsoft’s Authentication Broker. This allows for the generation of new tokens and registration of devices within Microsoft’s cloud identity system, Entra ID, making it difficult to detect and block nefarious activities.

Protecting your organization:

To protect your organization from this emerging threat, follow these best practices:

  • Block device code authentication: Where possible, restrict the use of device code flow, especially for non-trusted devices.
  • Enforce conditional access: Implement strict Conditional Access policies using Microsoft Entra ID to limit device code authentication.
  • Revoke refresh tokens: If a device code phishing attack is suspected, revoke the affected user’s refresh tokens using the ‘revokeSignInSessions’ feature. This forces the user to re-authenticate, reducing the probability of continued unauthorized access.
  • Monitor sign-in logs: Use Microsoft Entra ID’s sign-in logs to track suspicious activities. Search for high volumes of authentication attempts within a short duration.

Why this matters for your organization:

Email security threats, like device code phishing, can lead to significant data breaches, unauthorized communications access and financial losses.

At Check Point, we are committed to assisting organizations like yours in remaining ahead of the latest threats. Our solutions can help prevent and detect phishing attacks, including sophisticated device code phishing campaigns.

Get a demo here or please reach out to your local representative for more information about protecting your systems from email security threats.