Russian Cyber Operatives Exploit Microsoft 365 Device Code Phishing to Hijack Accounts
In a sophisticated cyber espionage campaign, a group suspected to be aligned with Russian interests has been actively targeting Microsoft 365 accounts through device code phishing techniques. This operation, identified by cybersecurity firm Proofpoint as UNK_AcademicFlare, has been ongoing since September 2025 and primarily focuses on entities within the government, think tanks, higher education, and transportation sectors across the United States and Europe.
Modus Operandi
The attackers initiate their scheme by compromising email accounts belonging to government and military organizations. These hijacked accounts are then used to send seemingly benign emails to potential targets, often under the guise of arranging fictitious meetings or interviews related to the recipient’s area of expertise. This approach aims to build rapport and lower the recipient’s guard.
Within these emails, the adversaries include a link purportedly leading to a document containing discussion topics or questions for the upcoming meeting. This link directs the recipient to a Cloudflare Worker URL designed to mimic a legitimate Microsoft OneDrive page. Upon accessing this page, the victim is instructed to copy a provided code and click Next to view the document.
Following these instructions redirects the user to Microsoft’s legitimate device code login page. When the victim enters the provided code, Microsoft generates an access token. Unbeknownst to the user, this token is intercepted by the attackers, granting them unauthorized access to the victim’s Microsoft 365 account.
Evolution of Device Code Phishing
Device code phishing is not a novel tactic. Earlier in 2025, both Microsoft and cybersecurity firm Volexity documented similar methods employed by Russian-affiliated groups such as Storm-2372, APT29, UTA0304, and UTA0307. These groups have been known to exploit device code authentication flows to gain unauthorized access to accounts. In recent months, Amazon Threat Intelligence and Volexity have reported continued attacks by Russian threat actors leveraging this technique.
Attribution and Targeting
Proofpoint’s analysis suggests that UNK_AcademicFlare is likely a Russia-aligned threat actor. This assessment is based on the group’s targeting patterns, which include specialists focused on Russian affairs at various think tanks, as well as Ukrainian government and energy sector organizations.
The use of device code phishing is not limited to state-sponsored actors. Financially motivated cybercriminal groups have also adopted this method. For instance, an e-crime group known as TA2723 has utilized salary-related lures in phishing emails to direct users to fraudulent landing pages, prompting device code authorization.
The proliferation of such attacks has been facilitated by the availability of crimeware tools like the Graphish phishing kit and red-team utilities such as SquarePhish. These tools are designed to be user-friendly, lowering the barrier to entry for less technically skilled threat actors and enabling them to conduct sophisticated phishing campaigns.
Mitigation Strategies
To defend against device code phishing attacks, organizations are advised to implement Conditional Access policies that block device code authentication flows for all users. If outright blocking is not feasible, a more granular approach can be adopted by allowing device code authentication only for approved users, specific operating systems, or designated IP ranges.
Additionally, organizations should educate their employees about the risks associated with phishing attacks and encourage vigilance when interacting with unsolicited emails, especially those requesting authentication codes or personal information.
Conclusion
The exploitation of device code authentication by Russian-linked cyber operatives underscores the evolving nature of phishing attacks and the continuous need for robust cybersecurity measures. By understanding the tactics employed by threat actors and implementing appropriate defenses, organizations can better protect themselves against unauthorized access and potential data breaches.
