top of page
perceptive_background_267k.jpg

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Published:

19 December 2025 at 17:54:00

Alert date:

19 December 2025 at 20:02:36

Source:

thehackernews.com

Click to open the original link from this advisory

Identity & Access, Email & Messaging, Enterprise Applications

A suspected Russia-aligned threat group tracked as UNK_AcademicFlare has been conducting an ongoing phishing campaign since September 2025. The campaign exploits Microsoft 365 device code authentication workflows to steal credentials and perform account takeover attacks. The attackers use compromised government email addresses as part of their operations. Proofpoint is tracking this active campaign targeting Microsoft 365 users through device code phishing techniques.

Technical details

Russia-aligned threat actor UNK_AcademicFlare conducts device code phishing attacks since September 2025 using compromised government/military email addresses. Attackers use social engineering to arrange fictitious meetings, share malicious Cloudflare Worker URLs mimicking Microsoft OneDrive accounts, instruct victims to copy provided codes and click 'Next' to access fake documents. This redirects to legitimate Microsoft device code login URL where entered codes generate access tokens for account takeover. Campaign uses crimeware tools like Graphish phishing kit and SquarePhish red-team tools.

Mitigation steps:

Create Conditional Access policy using Authentication Flows condition to block device code flow for all users. If not feasible, use allow-list policy to permit device code authentication only for approved users, operating systems, or IP ranges. Monitor for suspicious device code authorization requests and unusual login patterns.

Affected products:

Microsoft 365
Microsoft OneDrive

Related links:

https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover
https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
https://thehackernews.com/2025/08/amazon-disrupts-apt29-watering-hole.html
https://thehackernews.com/2025/12/weekly-recap-usb-malware-react2shell.html
https://github.com/secureworks/SquarePhish

Related CVE's:

Related threat actors:

IOC's:

Cloudflare Worker URLs mimicking Microsoft OneDrive accounts, Malicious URLs redirecting to Microsoft device code login pages, Compromised government and military email addresses

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page