sponsored cyber threats, Microsoft has once again fallen victim to a sophisticated cyber intrusion attributed to Russian threat actors. This latest breach, surfacing in 2025, highlights the critical need for heightened vigilance and robust defensive strategies across all sectors, particularly for organizations relying heavily on cloud services and ubiquitous productivity platforms.
The Attack Vector: Device Code Phishing and Stolen Credentials
Microsoft’s Threat Intelligence teams have been diligently tracking the activities of a new threat cluster, identified as Storm 2372, believed to be aligned with Russian interests. This group has been actively engaged in cyber operations since at least August 2024, employing an insidious technique known as “device code phishing” to hijack user accounts (Lakshmanan, 2025a).
The attack typically begins with highly deceptive spear phishing emails, often masquerading as Microsoft Teams meeting invitations. These emails, when clicked, redirect victims to a seemingly legitimate Microsoft page that prompts them to enter a “device code” to “allow access.” Unbeknownst to the user, this is a cunning ruse designed to trick them into authenticating into productivity applications while the Storm 2372 actors simultaneously capture the authentication tokens. These tokens, valid for a limited time (typically 15 minutes), grant the attackers access to compromised accounts without requiring a password (Lakshmanan, 2025a).
Further intelligence suggests that Russian groups, including a previously undocumented cluster dubbed Void Blizzard (also known as Laundry Bear), have been leveraging stolen credentials, potentially acquired from underground cybercrime marketplaces, to gain initial access. Once inside, they abuse legitimate cloud APIs to enumerate and exfiltrate vast quantities of emails and files, particularly targeting government, defense, transportation, media, non governmental organizations, and healthcare sectors primarily in Europe and North America (Lakshmanan, 2025b; Geller, 2025). Some campaigns have even seen attackers accessing Microsoft Teams conversations and meetings through the web client application (Lakshmanan, 2025b).
Who is Affected and What was Breached?
While Microsoft has not released an exhaustive list of all affected entities, reports indicate that the primary targets are organizations with strategic importance to Russian government objectives. This includes, but is not limited to:
- Government Agencies: Entities in NATO member states and Ukraine have been particularly targeted, suggesting intelligence collection as a primary motivation (Geller, 2025).
- Defense Contractors and Aerospace Companies: Firms involved in the procurement and production of military goods and weapons deliveries to Ukraine are also key targets (Geller, 2025).
- Critical Infrastructure: While specific incidents are still under investigation, the overall trend of state sponsored attacks points towards efforts to disrupt essential services like power grids and communication networks (F Secure, 2025).
- Non Governmental Organizations (NGOs): Over 20 NGOs in Europe and the United States have been impacted by Void Blizzard’s activities, particularly through phishing campaigns impersonating Microsoft Entra authentication portals (Lakshmanan, 2025b).
The breaches primarily involve the unauthorized access and exfiltration of sensitive data, including emails and cloud hosted files. Attackers have been observed using keyword searches to identify messages containing terms like “username,” “password,” “admin,” “credentials,” and “secret,” indicating a clear intent to gather sensitive information for further exploitation or intelligence gathering (Lakshmanan, 2025a).
In some instances, particularly concerning a zero day vulnerability in the Common Log File System (CLFS) kernel driver (CVE 2025 29824), exploitation has led to privilege escalation and subsequent ransomware activity (Microsoft Security Response Center, 2025). This highlights the dual threat posed by these actors: intelligence gathering coupled with the potential for destructive or financially motivated attacks.
How to Stay Protected: A Multi Layered Defense
The sophistication of these attacks demands a proactive and multi layered defense strategy. Organizations and individuals must recognize that traditional perimeter based security is no longer sufficient.
- Phishing Resistant Multifactor Authentication (MFA): This is paramount. While attackers are employing device code phishing, implementing hardware security keys (e.g., FIDO2) or certificate based authentication significantly reduces the risk of token theft. Microsoft strongly recommends enabling phishing resistant MFA wherever possible (Lakshmanan, 2025a).
- User Education and Awareness Training: Employees remain the first line of defense. Regular, comprehensive training on identifying sophisticated phishing attempts, including those leveraging device codes and impersonation tactics, is crucial. Emphasize the importance of verifying sender identities and scrutinizing unusual login prompts (Cloud Security Alliance, 2025).
- Principle of Least Privilege: Restrict user access to only the resources absolutely necessary for their roles. This limits the damage an attacker can inflict even if an account is compromised (SearchInform, 2025).
- Regular Patching and Updates: Promptly apply all security updates released by Microsoft and other software vendors. Vulnerabilities, including zero days like CVE 2025 29824, are continuously discovered and exploited by threat actors (NHS England Digital, 2025).
- Robust Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) Solutions: These systems are vital for real time monitoring, detecting anomalous activities, and rapidly responding to threats that bypass initial defenses.
- Network Segmentation: Isolate critical systems and sensitive data from the broader network. This can limit lateral movement by attackers if a segment is breached.
- Consolidated Identity Management Systems: Centralizing identity management and implementing risk based sign in policies can provide better visibility and control over user authentications (Geller, 2025).
- Proactive Threat Intelligence and Continuous Monitoring: Stay informed about emerging threats and attacker tactics. Integrate threat intelligence feeds into security operations to anticipate and defend against new attack vectors. Continuously monitor email activity, cloud services, and network traffic for suspicious patterns.
- Incident Response and Business Continuity Planning: Develop and regularly test a comprehensive incident response plan. In the event of a breach, a well defined plan can minimize damage and accelerate recovery.
The recurring nature of these state sponsored attacks against prominent organizations like Microsoft underscores the reality of a persistent cyber conflict. While no system can be entirely impervious, a proactive, multi layered, and intelligence driven cybersecurity posture is the most effective defense against these increasingly sophisticated adversaries.
References
Cloud Security Alliance. (2025, January 14). What Are the Top Cybersecurity Threats of 2025? https://cloudsecurityalliance.org/blog/2025/01/14/the-emerging-cybersecurity-threats-in-2025-what-you-can-do-to-stay-ahead/
F Secure. (2025, February 21). What are state sponsored cyber attacks? https://www.f-secure.com/en/articles/what-are-state-sponsored-cyber-attacks
Geller, E. (2025, May 28). Microsoft, Dutch government discover new Russian hacking group. Cybersecurity Dive. https://www.cybersecuritydive.com/news/russia-ukraine-logistics-laundry-bear-microsoft-netherlands/749143/
Lakshmanan, R. (2025a, February 14). Microsoft: Russian Linked Hackers Using ‘Device Code Phishing’ to Hijack Accounts. The Hacker News. https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
Lakshmanan, R. (2025b, May 27). Russian Hackers Breach 20+ NGOs Using Evilginx Phishing via Fake Microsoft Entra Pages. The Hacker News. https://thehackernews.com/2025/05/russian-hackers-breach-20-ngos-using-evilginx-phishing-via-fake-microsoft-entra-pages
Microsoft Security Response Center. (2025, April 8). Exploitation of CLFS zero day leads to ransomware activity. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
NHS England Digital. (2025, June 11). Microsoft Releases June 2025 Security Updates. https://digital.nhs.uk/cyber-alerts/2025/cc-4666
SearchInform. (2025, June 23). State Backed Cyber Attacks: Insights and Solutions. https://searchinform.com/articles/cybersecurity/cyber-threats/cyber-attacks/state-sponsored-cyber-attacks/
