Russia-Linked Hackers Leverage Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

A suspected Russia-aligned group, tracked as UNK_AcademicFlare, is conducting a phishing campaign exploiting Microsoft 365 device code authentication to steal credentials. The campaign began in September 2025 and targets government, defense, academic, transportation, and think tank organizations in the U.S. and Europe.

Why This Matters

Ideal security models assume users will recognize malicious requests, but device code phishing specifically circumvents this by directing users to legitimate Microsoft login pages. The resulting account takeovers can lead to significant data breaches and intellectual property theft; organizations face potential response costs that can easily exceed six figures depending on the scale of compromise.

Key Insights

• Device code phishing documented, February 2025: Microsoft and Volexity detailed the technique’s exploitation by Russia-aligned groups like Storm-2372 and APT29.
• Crimeware as a Service: Attackers now rely on kits such as Graphish and SquarePhish, lowering the barrier to entry for sophisticated phishing assaults.
• Conditional Access is key: Microsoft provides native tooling, like Conditional Access policies, to disrupt device code phishing attacks.

Practical Applications

• Use Case: Government agencies are targeted with rapport-building emails to arrange fictitious meetings, then lured by malicious links triggering device code authorization.
• Pitfall: Relying solely on user awareness training; device code phishing exploits a legitimate authentication flow, making it difficult for even security-conscious users to detect.

References:

• https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html