Hackers Associated with Russia Use Microsoft 365 Device Code Phishing to Take Over Accounts -

Post Views: 59

Hackers Associated with Russia Use Microsoft 365 Device Code Phishing to Take Over Accounts

A phishing effort that uses device code authentication routines to get victims’ Microsoft 365 credentials and carry out account takeover attacks has been linked to a suspected gang with ties to Russia.

Proofpoint is monitoring the activity, which has been going on since September 2025, under the name UNK_AcademicFlare.

The attacks target institutions in the government, think tanks, higher education, and transportation sectors in the United States and Europe by utilizing compromised email accounts that belong to military and governmental groups.

“Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview,” the security firm said.

The adversary states that as part of these efforts, the email receiver will receive a link to a paper with questions or subjects to examine before the meeting. The URL directs the victim to a Cloudflare Worker URL that imitates the infected sender’s Microsoft OneDrive account and asks them to copy the code and click “Next” in order to view the purported document.

However, doing so takes the user to the authentic Microsoft device code login URL, where the service generates an access token that the three actors can retrieve to take over the victim account after entering the previously supplied code.

In February 2025, Microsoft and Volexity published a detailed report on device code phishing, linking the attack technique to Russia-aligned clusters including Storm-2372, APT29, UTA0304, and UTA0307. In recent months, Volexity and Amazon Threat Intelligence have issued warnings about ongoing attempts by Russian threat actors that exploit the device code authentication flow.

Given that UNK_AcademicFlare targets Russia-focused experts at several think tanks as well as Ukrainian government and energy sector institutions, Proofpoint concluded that UNK_AcademicFlare is probably a threat actor with ties to Russia.

According to the company’s data, a number of state-aligned and financially driven threat actors have taken advantage of the phishing technique to trick consumers into granting them access to Microsoft 365 accounts. This includes an e-crime gang called TA2723, which has directed users to fake landing pages and triggered device code authorization by using salary-related baits in phishing emails.

The availability of crimeware products like the Graphish phishing kit and red-team tools like SquarePhish is thought to have contributed to the October 2025 campaign.

“Similar to SquarePhish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,” Proofpoint stated. “The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.”

The best way to combat the threat of device code phishing is to use the Authentication Flows condition to construct a Conditional Access policy that blocks device code flow for all users. If that is not possible, it is recommended to implement a policy that permits device code authentication for authorized users, operating systems, or IP ranges using an allow-list approach.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

RaccoonO365 Phishing Developer Arrested in Nigeria Linked to Microsoft 365 Attacks