The EU takes on the challenge of regulating AI. The benefits of the SEC’s proposed incident disclosure rules.
The EU takes on the challenge of regulating AI. The benefits of the SEC’s proposed incident disclosure rules. Senior EU official urges member states to ban Huawei and ZTE. Read More
In this episode of the Retail & Hospitality ISAC podcast, host Luke Vander Linden is joined by Paul Suarez, CISO at Casey’s General Stores to discuss his career, the unique challenges facing fuel retailers, and the value of collaboration. Then, Luke talks with Jackie Deloplaine, who oversees RH-ISAC’s working groups, to discuss some of the hot topics in 2023 and what’s planned for 2024. Read More
New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens
A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known as “device code phishing” to capture authentication tokens.
This attack, attributed to a group called Storm-2372, has been active since August 2024 and targets a wide range of industries and governments globally.
The campaign uses a phishing technique that tricks users into logging into productivity apps, allowing the attackers to capture authentication tokens that can be used to access compromised accounts.
Device code authentication is a method used to authenticate accounts from devices that cannot perform interactive web-based authentication.
Security experts at Microsoft noted that it involves entering a numeric or alphanumeric code on a separate device to sign in. In device code phishing, attackers generate a legitimate device code request and deceive targets into entering it on a legitimate sign-in page.
This grants the attackers access to authentication and refresh tokens, which they can use to access the target’s accounts and data without needing a password.
Storm-2372’s campaign involves creating lures that resemble messaging app experiences, such as WhatsApp, Signal, and Microsoft Teams.
The attackers pose as prominent individuals to build rapport with targets before sending phishing emails that appear to be meeting invitations.
These invitations prompt users to authenticate using a device code, which the attackers use to capture valid access tokens.
Sample Messages from the Threat Actor (Source – Microsoft)
After obtaining access tokens, Storm-2372 uses them to move laterally within compromised networks and harvest emails using Microsoft Graph.
The attackers search for keywords like “username,” “password,” and “credentials” in compromised accounts.
Example of Lure Used in Phishing Campaign (Source – Microsoft)
Example Hunting Query for Microsoft Defender XDR:-
let suspiciousUserClicks = materialize(UrlClickEvents
where ActionType in ("ClickAllowed", "UrlScanInProgress", "…")
where UrlChain has_any ("microsoft.com/devicelogin", "login…")
extend AccountUpn = tolower(AccountUpn)
project ClickTime = Timestamp, ActionType, UrlChain, Network…
To defend against device code phishing attacks, organizations should restrict the use of device code flows, educate users on phishing tactics, and enforce strong authentication measures such as MFA and phishing-resistant methods like FIDO Tokens.
Implementing Conditional Access policies to monitor risky sign-ins and centralizing identity management can further enhance security.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Google Open Sources Magika: AI-Powered File Identification Tool
[[{“value”:”Google has announced that it’s open-sourcing Magika, an artificial intelligence (AI)-powered tool to identify file types, to help defenders accurately detect binary and textual file types.
"Magika outperforms conventional file identification methods providing an overall 30% accuracy boost and up to 95% higher precision on traditionally hard to identify, but potentially problematic content”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site