An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing. The targets are in the government, NGO, IT services and technology, defense, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.

Microsoft Threat Intelligence Center tracks the threat actors behind the device code phishing campaign as 'Storm-237', Based on interests, victimology, and tradecraft, the researchers have medium confidence that the activity is associated with a nation-state operation that aligns with Russia's interests.

‍