TLDR
Microsoft 2024 disclosed Storm 2372 (Russia linked) running 'device code phishing': attacker initiates OAuth device code flow, sends the 8 character code via Signal / WhatsApp / Teams to target with 'enter this code to join the meeting'....
How it works
Microsoft 2024 disclosed Storm 2372 (Russia linked) running 'device code phishing': attacker initiates OAuth device code flow, sends the 8 character code via Signal / WhatsApp / Teams to target with 'enter this code to join the meeting'....
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1DO: NEVER enter a device code someone else sent you; treat ANY out of band code request as phishing.
Source
FAQ
Is Device code phishing — Storm 2372 OAuth abuse on Microsoft 365 / Google a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
DO: NEVER enter a device code someone else sent you; treat ANY out of band code request as phishing.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.