Skip to main content
Mallory
Back to threat actors

Storm-2372

Also known asStorm-2372

Storm-2372 is a Russia-aligned threat actor that Microsoft assesses with moderate confidence aligns with Russian interests, victimology, and tradecraft. Microsoft reported the group has been active since at least August 2024 and has targeted governments, NGOs, and organizations in sectors including IT services/technology, defense, telecommunications, health, higher education, and energy/oil and gas across Europe, North America, Africa, and the Middle East. The actor is known for device code phishing campaigns that abuse legitimate OAuth device code authentication flows to capture access and refresh tokens after victims authenticate on the legitimate Microsoft device login page. Microsoft observed Storm-2372 using lures that resembled WhatsApp, Signal, and Microsoft Teams experiences, including phishing emails masquerading as Microsoft Teams meeting invitations. The group likely also approached targets through third-party messaging services while impersonating prominent relevant individuals to build rapport. Post-compromise, Storm-2372 used Microsoft Graph for data collection and email harvesting, including searching compromised mailboxes with terms such as "username," "password," "admin," "teamviewer," "anydesk," "credentials," "secret," "ministry," and "gov," and exfiltrating matching emails. Microsoft also observed the actor using compromised accounts to send additional device-code phishing messages internally for lateral movement. In an updated technique observed on February 14, 2025, Storm-2372 shifted to the Microsoft Authentication Broker client ID in the device code flow, enabling receipt of a refresh token that could be used to request a token for device registration. Microsoft reported this allowed the actor to register an attacker-controlled device in Entra ID and then obtain a Primary Refresh Token (PRT) for continued access to organizational resources. The actor also used regionally appropriate proxies to reduce detection. Aliases directly referenced in the content in connection with device code phishing activity include APT29, UTA0304, and UTA0307, though the content does not state these are definitive synonyms for Storm-2372. Additional Russia-aligned clusters mentioned in related reporting include UNK_AcademicFlare.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics10 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566×4
Phishing
T1566.002×2
Spearphishing Link
T1566.003
Spearphishing via Service
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1528×3
Steal Application Access Token
TA0008
Lateral Movement
1 technique
T1534
Internal Spearphishing
TA0011
Command and Control
1 technique
T1090
Proxy
IOCS

Observables

5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

5 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
hkcertNews
Jun 17, 2026
Understanding OAuth Risks: From Device Code Phishing to Token Abuse

Conducts device code phishing campaigns abusing OAuth device authorization flow to obtain valid access tokens and refresh tokens from victims after they complete authentication on legitimate pages.

Read more
malware newsNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity… - Malware News - Malware Analysis, News and Indicators

Conducting device code phishing campaigns against governments, NGOs, and defense organizations.

Read more
detectNews
May 26, 2026
Hunt Before They Hide -From Device Codes to Fake IT Support Detecting Active Microsoft 365 Identity Attacks in Sentinel | by Rohitashokgowd | May, 2026 | Detect FYI

Conducting device code phishing campaigns against governments, NGOs, and defense organizations.

Read more
codebyNews
May 25, 2026
OAuth Device Code Flow атака: пентест Azure AD

Used direct delivery of Microsoft device codes in phishing emails as part of a device code phishing campaign targeting Entra ID / Microsoft 365 authentication flows.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables5

Domains, IPs, and hashes tied to this actor, refreshed continuously.