Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers - The Hacker News

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers Ravie LakshmananDec 19, 2025Cybersecurity / Cloud Security A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. "Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets' area of expertise to ultimately arrange a fictitious meeting or interview," the enterprise security company said. As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click "Next" to access the supposed document. However, doing so redirects the user to the legitimate Microsoft device code login URL, where, once the previously provided code is entered, it causes the service to generate an access token that can then be recovered by the three actors to take control of the victim account. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. Over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors that abuse the device code authentication flow. Proofpoint said UNK_AcademicFlare is likely a Russia-aligned threat actor given its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations. Data from the company shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts. This includes an e-crime group named TA2723 that has used salary-related lures in phishing emails to direct users to fake landing pages and trigger device code authorization. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. "Similar to SquarePhish, the [Graphish] tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns," Proofpoint said. "The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise." To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, cybersecurity, email security, Identity Security, Microsoft 365, Phishing Trending News ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths