![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
2,597 questions
Hello @Surjeet Singh,
Thank you for posting your query on Microsoft Q&A.
On February 14, 2025, Microsoft observed Storm-2372 shifting to using a specific client ID for the Microsoft Authentication Broker in the device code sign-in flow. This client ID enables Storm-2372 to obtain a refresh token, which can then be used to request another token for the device registration service and register an attacker-controlled device within Entra ID. With this refresh token and the newly registered device identity, Storm-2372 can acquire a Primary Refresh Token (PRT) and access an organization’s resources. We have also observed the actor using these connected devices to collect emails.
The Microsoft Threat Intelligence Center has identified an active and successful device code phishing campaign by Storm-2372, which has been ongoing since August 2024. The actor has been creating phishing lures that resemble legitimate messaging apps, including WhatsApp, Signal, and Microsoft Teams.
To help organizations mitigate and protect against this threat, we are sharing our latest research, detections, and mitigation guidance. Our goal is to raise awareness of the tactics, techniques, and procedures (TTPs) used in this campaign, educate organizations on how to harden their security posture, and disrupt future threat activity.
For detailed mitigation and protection guidance, please refer to the following document:
Storm-2372 Conducts Device Code Phishing Campaign
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 17%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)