Storm-2372

Affiliation Suspected nation-state

Status active

Country Russia

First Seen 2024-08

Last Seen 2025-02

Target Sectors Government, Non-Governmental Organizations (NGO), Defense, Information Technology, Telecommunications, Healthcare, Higher Education, Energy

Target Geographies North America, Europe, Africa, Middle East

Executive Summary

Storm-2372 is an emerging Russia-aligned threat activity cluster that specialized in device code phishing operations beginning in mid-2024. Microsoft identifies the group as a suspected nation-state actor primarily motivated by espionage and intelligence collection against government, defense, and IT service organizations globally.

The group is defined by its disciplined use of social engineering on third-party messaging platforms to build rapport with targets before executing specialized OAuth token theft. Storm-2372 evolved its tradecraft through early 2025, moving from simple credential access to registering unauthorized devices within victim environments to obtain persistent Primary Refresh Tokens (PRTs), allowing for long-dwell access to sensitive organizational communications.

Notable Campaigns

2024–2025: Global Device-Code Phishing Campaign

Since August 2024, Storm-2372 conducted a continuous operation targeting a wide array of sectors across North America, Europe, Africa, and the Middle East. The campaign utilized lures posing as prominent individuals on WhatsApp, Signal, and Microsoft Teams.

In the initial phase of the campaign, the actor focused on obtaining session tokens via the OAuth device code flow. By February 2025, the tradecraft matured to include the abuse of the Microsoft Authentication Broker. This allowed the registration of actor-controlled devices within the target’s Entra ID environment, granting the attackers persistent access that bypassed standard MFA protections and password resets.

Technical Capabilities

Storm-2372 focuses on discovering and exploiting identity perimeters within Microsoft 365 environments. Instead of deploying custom malware, they utilize “living off the cloud” techniques to blend with legitimate administrative activity.

The group’s primary method for initial access is device code phishing. They generate a legitimate device code request and trick the victim into entering it on the official Microsoft sign-in page. This bypasses the need for passwords and many traditional MFA implementations. Once access is gained, they utilize the Microsoft Graph API to perform automated keyword searches for terms such as “password,” “secret,” and “ministry” to identify and exfiltrate sensitive data.

To maintain stealth, Storm-2372 uses regionally appropriate proxies that match the geographic location of the victim organization, reducing the likelihood of detection by identity protection systems monitoring for impossible travel or anomalous sign-in origins.

Attribution

Microsoft assesses with moderate confidence that Storm-2372 aligns with Russian state interests. This assessment is based on the group’s victimology—which targets government ministries and defense contractors—and its tradecraft, which mirrors patterns established by other Russia-aligned espionage clusters. While it remains a “Storm” temporary designation, the group’s objectives and operational focus suggest a formal state-sponsored mandate.

MITRE ATT&CK Profile

Initial Access

T1566.003 - Phishing: Spearphishing via Service: Storm-2372 uses third-party messaging apps to establish trust with targets before delivering malicious lures.

Credential Access

T1528 - Steal or Forge Authentication Tokens: The group’s hallmark technique involves exploiting the OAuth 2.0 device code flow to steal session and refresh tokens.

Persistence

T1098.005 - Account Manipulation: Device Registration: Storm-2372 registers unauthorized devices in the victim’s tenant to obtain persistent Primary Refresh Tokens (PRTs).

Command and Control

T1071.001 - Application Layer Protocol: Web Protocols: The actor leverages the Microsoft Graph API as a primary interface for automated data discovery and collection.