What is device code phishing, and why are Russian spies so successful at it?

A new warning has been issued about an ongoing phishing campaign that abuses Microsoft’s OAuth standard, which allows users to authenticate via device codes.
Rather than identify users through their usernames and passwords, this method gives them a code to enter into a linked device to verify their identity.
Russian hackers have been using this to target Microsoft 365 accounts, with instances of the campaign dating back to last August.
The attackers pretend to be senior executives, talking to their victims on messaging platforms before sending them a suspicious link.
Once the victim enters the code on their device, the hackers can access their account.
The Russian group, known as “Storm 230” has focused on non-governmental organisations (NGOs) and think tanks, but also impersonated media companies.

Fast Feed