Russian APT group Storm-2372 bypasses MFA

Storm-2372 exploits device code phishing to bypass MFA

Cybercriminals are constantly developing new methods to get around security systems, including those designed to be most reliable. A Russian-linked hacking group known as Storm-2372 has launched a campaign that bypasses multi-factor authentication and gains access to Microsoft accounts by taking advantage of how users trust familiar login processes.

This type of attack, called device code phishing, is both deceptive and effective. It works within real login systems and relies on the user to unknowingly give attackers access.

When phishing uses real systems

Unlike classic phishing campaigns that rely on fake websites, this technique is built on legitimate Microsoft infrastructure. Victims are sent emails or text messages that appear to come from trusted sources. These messages ask the recipient to verify their identity or log in to a service.

Clicking the link takes the user to a login page that closely resembles Microsoft’s official site. In some cases, it is even hosted on Microsoft’s own cloud services. The site presents the user with a device code and tells them to enter it on Microsoft's actual login portal.

What the user doesn’t realize is that the code was created by the attacker. By entering it, they allow the attacker to authenticate and access the victim’s Microsoft account. The attacker doesn’t need a password or further approval, since the login is technically authorized by the user.

A more advanced version of an old trick

Storm-2372 has improved on a phishing method that was previously limited by short-lived codes. Earlier versions of this attack relied on codes that expired quickly, meaning attackers had a narrow window to trick their targets.

To solve this, Storm-2372 uses dynamic phishing pages that generate fresh codes for each visit. These pages are often built using Azure Web Apps or similar services. In some versions of the attack, tools like CORS-Anywhere are used to make the Microsoft login process appear seamlessly within the phishing site.

This approach makes the attack more convincing and increases the chance of success. Victims see what looks like a normal process, and because everything is happening on real infrastructure, traditional security tools often fail to flag anything suspicious.

Who is behind the attack?

Storm-2372 is considered a state-sponsored group linked to Russian intelligence. Their targets are typically high-value organizations, including government institutions, infrastructure operators, and universities. Rather than aiming for financial gain, the group focuses on long-term access and data collection.

Once inside, the group can use access tokens to move laterally across systems, extract information or maintain silent access over extended periods. These tokens can remain valid for weeks or even months, depending on the organization’s configuration. Want to understand how these groups operate? Learn more about state-sponsored hacking and its growing impact on global cybersecurity.

Why this technique is so effective

The biggest strength of device code phishing is its invisibility. Users are not asked to enter credentials on a fake site. Instead, they are asked to interact with real systems in a way that seems routine and harmless. There are no red flags, no fake URLs, and no obvious signs of compromise.

This subtlety makes it hard for users to recognize the danger. It also challenges security teams who rely on traditional detection methods focused on fake domains or malicious attachments.

What organizations can do

Although the technique is clever, there are several steps companies can take to reduce the risk.

It begins with awareness. Employees should be trained to recognize unusual login requests, especially those involving device codes or unexpected verification prompts. They should know that device codes should only be used when they themselves initiate the process.

Organizations should also enforce conditional access policies that limit login attempts based on device, location, or behavior. Regular audits of OAuth activity and token usage can help identify abnormal patterns that may indicate compromise.

Finally, limiting the lifespan of access and refresh tokens can shorten the window an attacker has, should they gain access.

Looking ahead

Storm-2372’s campaign shows that phishing has become more advanced and harder to detect. Attackers are no longer relying on crude imitations. They are using real tools in unintended ways, turning everyday login flows into entry points for espionage.

What makes this especially concerning is that the attackers are bypassing multi-factor authentication — a security measure specifically designed to stop unauthorized access, even if passwords are compromised. When MFA can be sidestepped, the foundation of account security is at risk. If you're unfamiliar with how MFA works or why it's so important, we’ve written a guide to multi-factor authentication that explains the concept in more detail.

At Moxso, we help organisations build a human-centred defence against evolving cyber threats. Through advanced phishing simulations, threat management, and continuous employee awareness training, we strengthen the human layer of security — enabling companies to stay ahead of attackers who constantly adapt their methods.