top of page
OutSystems-business-transformation-with-gen-ai-ad-300x600.jpg
OutSystems-business-transformation-with-gen-ai-ad-728x90.jpg
TechNewsHub_Strip_v1.jpg

LATEST NEWS

Cybercriminals exploiting fake Microsoft Teams invite to steal user credentials

Marijan Hassan - Tech Journalist

Microsoft has warned that cybercriminals are using fake Microsoft Teams meeting invites to trick people into giving up access to their accounts. The attack, attributed to a group called Storm-2372, has been active since August 2024 and targets organizations in various sectors, including government, IT, defense, healthcare, and education.



How the scam works

  • Fake Teams Invite – Attackers send an email disguised as a legitimate Microsoft Teams meeting invitation.

  • Tricked Into Entering a Code – When the recipient clicks the link, they are prompted to enter a special authentication code on a real Microsoft sign-in page.

  • Hackers Gain Access – By entering this code, the victim unknowingly hands over an access token to the attacker, who can then log in as them.


This method, known as "device code phishing," allows attackers to bypass passwords and gain persistent access as long as the stolen authentication token remains valid. From there, they can move through an organization’s network, steal emails, and spread further phishing messages from compromised accounts.


Who is at risk?

Storm-2372 has targeted organizations across Europe, North America, Africa, and the Middle East. Their victims include government agencies, non-governmental organizations (NGOs), tech companies, and the energy sector. Microsoft believes the group operates in alignment with Russian state interests.


Prevention and mitigation steps

Microsoft has provided guidance on how to protect against this type of phishing attack:


  • Limit device code authentication: Disable this feature unless absolutely necessary.

  • Use multifactor authentication (MFA): While some attacks try to bypass MFA, it remains a strong defense.

  • Educate employees on phishing tactics: Teach staff to verify meeting invites before clicking.

  • Monitor for suspicious sign-ins: Use Microsoft Entra ID and security reports to detect unusual activity.

  • Restrict device enrollments: Prevent unauthorized devices from being added to your organization’s network.


Microsoft's response

Microsoft is actively tracking Storm-2372 and notifying organizations that have been targeted. The company has also observed that the hackers are evolving their techniques, recently using Microsoft Authentication Broker to maintain persistent access by registering new devices under compromised accounts.


As these attacks grow more sophisticated, staying vigilant and adopting strong security practices is crucial. Organizations should regularly update their security policies and educate employees on identifying phishing attempts to prevent unauthorized access.


See Microsoft’s blog for more information on the campaign.

wasabi.png
Gamma_300x600.jpg
paypal.png
bottom of page