Phishing has progressed from your everyday emails into collaboration platforms like Microsoft Teams. Recent security research indicates that nearly 40% of phishing campaigns happen on platforms like MS Teams, updating the way phishing attacks occur today.
What is now of particular concern is the emergence of Storm-2372 phishing Microsoft Teams attacks as significant threats, leveraging trusted Microsoft authentication workflows to bypass traditional security controls.
According to Microsoft Threat Intelligence, Storm-2372, a threat actor, uses a form of device-code phishing to spoof legitimate contacts and redirect conversations into an MS Teams environment, making the user feel secure as collaboration continues.
This blog looks at how to identify fake MS Teams invites and what organizations can do to stop themselves from being compromised.
The Storm-2372 phishing campaign, identified by Microsoft Threat Intelligence, has been active since August 2024.
Unlike traditional phishing methods, Storm-2372 phishing via Microsoft Teams hijacks existing sessions via the device code authentication process used by MS Teams.
Typically, attackers identify and reach out to the target via other applications such as WhatsApp or LinkedIn. They build up enough trust to send the victim a fake MS Teams meeting invite, which contains a legitimate device login code. When the victim enters the device login code on Microsoft’s actual sign-in page, they are unknowingly granting access to the attacker’s device
This bypasses two-factor authentication and allows direct access to email, Teams messages, and cloud storage. Storm-2372 demonstrates how modern phishing attacks are now using identity to gain trust—rather than exploiting technology.
To detect Storm-2372 attacks, you need to look for both technical evidence and signs of unusual behavior. Storm-2372 campaigns appear very normal and professional to the user.
Storm-2372 campaigns use Microsoft’s Device Code Flow as one of the most common abuse techniques. This was designed for devices without a keyboard and provides a method of signing in with a device verification code. Attackers are now exploiting this same process as a way to capture authenticated sessions.
Here are the warning signs to look for:
A legitimate Teams invite will be sent to the existing Teams application or to teams.microsoft.com. Most times, a malicious invite will go through multiple redirected domains and typically use compromised *.azurewebsites.net pages.
You will never have to enter a device code when joining a Teams meeting on your computer or mobile device. If you receive an invite to a Teams meeting requesting you to visit www.microsoft.com and enter an alphanumeric device code, you should stop and think. This mirrors techniques used in traditional attachment-based phishing schemes, creating a similar experience in a cloud environment.
A common tactic used by attackers is to leverage compromised external accounts while posing as members of internal teams. Be on the lookout for the “(External)” label in Teams—be sure to verify any internal alerts containing that designation prior to taking action.
Operators of Storm-2372 utilize subtle means of deception to bypass either security filters or human attention when sending emails using the techniques listed below:
Once teams invites arrive, employees usually do not have time for investigatory action. Visual clues can significantly help teams make decisions quickly and safely.
|
Feature |
Genuine Teams Invite |
Storm-2372 Phishing Scam |
|
Sender Domain |
Verified @microsoft.com or a trustworthy partner |
Hacked/mismatched domain (i.e., @gmx.com) |
|
Authentication Flow |
Standard SSO/MFA login |
Requests unexpected device code authentication |
|
Link Destination |
Opens directly at teams.microsoft.com |
Redirects via shortened or unknown links |
|
Message Tone |
Neutral and professional |
Urgent, alarming, or pressuring language |
|
External Label |
Clearly identified as a legitimate enterprise guest account |
Hidden by emojis or Unicode trickery |
Most phishing scams are successful only because they appear nearly legitimate. Therefore, it is important that employees are trained to identify minor variations and differences.
ThreatCop provides employees the opportunity to learn and recognize phishing attacks using real phishing scenarios as examples. ThreatCop’s TSAT provides training so employees recognize phishing attempts disguised as genuine Microsoft Teams invites and device code requests before interacting with a phishing scammer.
ThreatCop’s TPIR platform integrates with Microsoft 365. When a user reports a suspicious phishing attack within a Microsoft Teams message, the ThreatCop platform instantaneously processes all links and sender information and performs algorithmic analysis of message behavior.
When a threat is verified, ThreatCop quickly isolates the malicious message across your entire organization—preventing an accidental click from turning into a widespread data breach.
Knowing how to spot a phishing email is no longer just an IT responsibility. It is now a crucial part of business continuity and security. The recent Storm-2372 phishing of Microsoft Teams shows how hackers can now use legitimate work patterns and apply trust to perform their scams instead of relying on highly sophisticated technical exploits.
The best defense is having many individuals educated on preventing attacks, combined with intelligent automation. When companies deliver realistic cybersecurity education to employees paired with AI technology, staff can collaborate easily without becoming easy targets.
The ultimate goal is not only to prevent one phishing scam but also to create a working community in which every employee can identify warning signs early and take action to avert a digital attack before it happens.
Technical Content Writer at Threatcop
Milind Udbhav is a cybersecurity researcher and technology enthusiast. As a Technical Content Writer at Threatcop, he uses his research experience to create informative content which helps audience to understand core concepts easily.
Cyber attacks have become a routine part of work. Phishing emails appear in inboxes, fake websites ask for logins,...
The threat landscape is changing at an unprecedented rate, and companies with many employees working from different locations are...
Human error is one of the top contributing factors for cyber breaches. The point at which human error can...
