Cybersecurity

Russia-linked Hackers Use Microsoft 365 Device Code Phishing For...

2025-12-19 0 views admin
Russia-linked Hackers Use Microsoft 365 Device Code Phishing For...

A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks.

The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare.

The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe.

"Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets' area of expertise to ultimately arrange a fictitious meeting or interview," the enterprise security company said.

As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click "Next" to access the supposed document.

However, doing so redirects the user to the legitimate Microsoft device code login URL, where, once the previously provided code is entered, it causes the service to generate an access token that can then be recovered by the three actors to take control of the victim account.

Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. Over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors by abusing the device code authentication flow.

Proofpoint said UNK_AcademicFlare is likely a Russia-aligned threat actor given its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations.

Data from the company shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts. This includes an e-crime group named TA2723 that has used salary-related lures in phishing emails to direct users to fake landing pages and trigger device code authorization.

The October 2025 campaign is assessed to have been fueled by the rea

Source: The Hacker News

🏷️ Tags

securityhackattackthreat

More from Cybersecurity

Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

2025-12-19 0
Microsoft Confirms Teams Is Down And Messages Are Delayed 2025

Microsoft Confirms Teams Is Down And Messages Are Delayed 2025

2025-12-19 0
Nigeria Arrests Dev Of Microsoft 365 'raccoon0365' Phishing Platform

Nigeria Arrests Dev Of Microsoft 365 'raccoon0365' Phishing Platform

2025-12-19 0
Microsoft 365 Accounts Targeted In Wave Of Oauth Phishing Attacks

Microsoft 365 Accounts Targeted In Wave Of Oauth Phishing Attacks

2025-12-19 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views