Open Forum

Microsoft has discovered a new type of cyberattack by an existing nation-state group. It uses a sneaky trick called "device code phishing" to steal user login details and break into their accounts. Device code authentication is an alternate way to log in on a device that is input-constrained (typically mobile devices). In recent attacks, attackers used a special code that lets them register their own devices (like a computer or phone) as if they were their victims.

The attackers create lures that resemble messaging app experiences, such as WhatsApp, Signal, and Microsoft Teams. They may pose as someone familiar to the target to build trust.

Victims typically receive an email that is often disguised as a meeting invitation. When the user clicks on the invitation, they are prompted to authenticate using a device code generated by the attacker. The user is deceived into entering this code on a legitimate-looking sign-in page. By entering the code, they inadvertently grant the attackers permission to access their accounts and steal their data. This allows the attackers to read the user's emails, access their cloud storage, and potentially spread the attack to their friends and colleagues.

Takeaways:

• Be very careful about clicking links in emails, especially if they ask you to enter a code
• Always make sure the sign-in page is legitimate and that you're signing in to the correct application
• If you get a strange email from someone you know, contact them directly to make sure it's really them
• Block Device Code Flow: Only allow device code flow where necessary and configure Microsoft Entra ID's device code flow in your Conditional Access policies.
• Multi-Factor Authentication (MFA): Require MFA but use phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephone-based MFA methods to avoid risks associated with SIM-swapping
• Centralize Identity Management: Monitor your Microsoft Entra for malicious identity access
• Credential Hygiene: Practice the principle of least privilege and audit privileged account activity in Entra ID environments
• Educate Users: Make sure users know about common phishing techniques and that sign-in prompts should clearly identify the application being authenticated to
• #ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Wow, this is really frightening, Thank you Genady 

------------------------------
Mary Enzi CAA
Tax Solutions – FIRPTA Consulting
[email protected]
+1 (281) 578-1040
Katy TX
------------------------------

Original Message:
Sent: 02-28-2025 09:28
From: Genady Vishnevetsky
Subject: Security BUZZ - New Phishing Attack Uses Tricky Codes to Steal Your Information

Microsoft has discovered a new type of cyberattack by an existing nation-state group. It uses a sneaky trick called "device code phishing" to steal user login details and break into their accounts. Device code authentication is an alternate way to log in on a device that is input-constrained (typically mobile devices). In recent attacks, attackers used a special code that lets them register their own devices (like a computer or phone) as if they were their victims.

The attackers create lures that resemble messaging app experiences, such as WhatsApp, Signal, and Microsoft Teams. They may pose as someone familiar to the target to build trust.

Victims typically receive an email that is often disguised as a meeting invitation. When the user clicks on the invitation, they are prompted to authenticate using a device code generated by the attacker. The user is deceived into entering this code on a legitimate-looking sign-in page. By entering the code, they inadvertently grant the attackers permission to access their accounts and steal their data. This allows the attackers to read the user's emails, access their cloud storage, and potentially spread the attack to their friends and colleagues.

Takeaways:

• Be very careful about clicking links in emails, especially if they ask you to enter a code
• Always make sure the sign-in page is legitimate and that you're signing in to the correct application
• If you get a strange email from someone you know, contact them directly to make sure it's really them
• Block Device Code Flow: Only allow device code flow where necessary and configure Microsoft Entra ID's device code flow in your Conditional Access policies.
• Multi-Factor Authentication (MFA): Require MFA but use phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey. Avoid telephone-based MFA methods to avoid risks associated with SIM-swapping
• Centralize Identity Management: Monitor your Microsoft Entra for malicious identity access
• Credential Hygiene: Practice the principle of least privilege and audit privileged account activity in Entra ID environments
• Educate Users: Make sure users know about common phishing techniques and that sign-in prompts should clearly identify the application being authenticated to
• #ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------