Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

on

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

In late 2025, cybersecurity firms and Microsoft itself sounded the alarm on a sophisticated and evolving phishing campaign attributed to Russia-linked threat actors that exploit a legitimate Microsoft authentication workflow — the OAuth 2.0 device code flow — to perform widespread Microsoft 365 account takeovers. This technique, known as device code phishing, allows attackers to bypass traditional password and even multi-factor authentication protections by hijacking the authentication process itself. The Hacker News+1

Unlike classical phishing that steals a user’s password, device code phishing tricks users into granting direct authorization to malicious applications — and because the process uses Microsoft’s own login pages and tokens, many security systems fail to recognize the attack as suspicious. BleepingComputer

This campaign, observed since at least September 2025, has affected government agencies, think tanks, universities, transportation organizations, and other high-value targets across Europe, North America, Africa, and beyond, underscoring the global reach and impact of these credential theft operations. The Hacker News

What Is Device Code Phishing? A Deep Dive

The OAuth Device Code Authentication Flow

The OAuth 2.0 device code flow was designed to enable authentication on devices without full browsers or sophisticated input — such as smart TVs, game consoles, or IoT terminals. In brief:

  1. A device requests a device code and provides it to the user.

  2. The user enters that code into a legitimate Microsoft sign-in page via another device (like a phone or laptop).

  3. Upon successful entry, Microsoft’s authentication server issues tokens (access and refresh tokens) that authorize ongoing API and service access without needing to re-enter passwords or frequent MFA prompts.

This flow should be secure when used as intended — but attackers have found a way to exploit the human interaction component: convincing users to enter attacker-provided codes during a legitimate sign-in process. LinkedIn

How Hackers Abuse It

In the malicious variant:

  • The threat actor generates a legitimate Microsoft device code (using a valid client ID such as the Microsoft Authentication Broker).

  • The attacker then sends the victim a phishing email or chat message prompting action: reviewing a document, joining a meeting, or accessing a resource.

  • The message contains a link that redirects victims to the official Microsoft device login page (microsoft.com/devicelogin).

  • Victims are instructed to enter the provided code — believing it’s necessary for legitimate authentication — but in reality, they have authorized the attacker’s device or application to access their account.

Once entered, the victim’s browser completes an authentic login with Microsoft’s servers and issues tokens that the attacker can immediately capture and reuse. LinkedIn

Because this flow uses Microsoft’s official authentication service and doesn’t involve entering a username or password directly on a phishing page, it bypasses many traditional phishing defenses and even MFA protections. BleepingComputer

The Threat Actors: Storm-2372 and UNK_AcademicFlare

Multiple security agencies have linked the ongoing campaigns to Russia-aligned cyber groups, though not all attacks are identical.

Storm-2372

Microsoft Threat Intelligence has tracked a threat cluster called Storm-2372, assessed with medium confidence to be aligned with Russian state interests and tradecraft. This group has employed device code phishing at scale since at least August 2024, targeting government, NGOs, defense, telecom, healthcare, and energy sector organizations across multiple continents. LinkedIn

Storm-2372’s methodology blends technical manipulation of OAuth flows with sophisticated social engineering — often initiating contact through messaging platforms like WhatsApp, Signal, or Microsoft Teams before sending phishing lures. LinkedIn

Once authenticated access tokens are obtained, Storm-2372 uses them to search emails and other data for keywords (like “credentials,” “admin,” “secret,” or government-related terms) and exfiltrate sensitive information. LinkedIn

UNK_AcademicFlare

Proofpoint, a leading email security firm, tracks a Russia-linked group under the moniker UNK_AcademicFlare conducting similar activity since September 2025. Rather than traditional credential theft, this subgroup leverages compromised email addresses from government and military organizations to impersonate trusted contacts and build rapport before delivering phishing links. The Hacker News

By initiating conversations related to shared topics of expertise — for example, preparing for a supposed interview or meeting — UNK_AcademicFlare increases the likelihood that victims will comply with device code prompts. The Hacker News

Both Storm-2372 and UNK_AcademicFlare’s campaigns demonstrate highly targeted social engineering, but also show that even moderately skilled attackers can leverage crimeware tools like SquarePhish and Graphish to automate parts of the phishing workflow. The Hacker News

Why Device Code Phishing Is So Effective

1. Bypasses Password and MFA Defenses

Because the victim enters a device code into a legitimate Microsoft page instead of typing a password into a malicious page, traditional defenses such as password breach detection, heuristics, and fraud engines are largely blind to the attack. BleepingComputer

Similarly, MFA mechanisms like SMS codes, Microsoft Authenticator, or push notifications cannot stop this flow — users are already consenting to authorize the session through the device code mechanism, making the authentication appear legitimate. BleepingComputer

2. Uses Microsoft’s Own Infrastructure

Since the final authentication happens on Microsoft’s servers and not on a fake or phishing domain, many security solutions that block phishing pages based on domain reputation or URL characteristics fail to detect the deception. BleepingComputer

Attackers even use Cloudflare Worker URLs or other trusted content delivery networks (CDNs) to host initial lures, further reducing suspicion. The Hacker News

3. Persistent Token Access and Lateral Movement

Once attackers obtain a valid access token and refresh token, they can maintain access to the victim’s Microsoft 365 environment without needing further user interaction. With refresh tokens, adversaries can request new access tokens indefinitely unless the tokens are revoked. This enables extended persistence and lateral movement within the compromised tenant. LinkedIn

Using the Microsoft Graph API, attackers can enumerate mailboxes, download files, and communicate as the user, expanding the impact of the breach. LinkedIn

Real-World Impact on Organizations

The consequences of a successful device code phishing attack can be severe:

Unauthorized Access to Emails and Files

With access to Exchange Online, OneDrive, SharePoint, and Teams, attackers can read and exfiltrate sensitive organizational data, including internal communication, financial records, strategic plans, and personal user information. LinkedIn

Lateral Phishing and Escalation

Once inside a compromised account, attackers can send additional phishing emails to internal and external contacts, propagating further compromise and expanding their foothold — a tactic known as internal phishing. LinkedIn

Credential Harvesting and Privilege Escalation

Attackers may search for stored credentials, VPN configurations, or administrative access within email threads or documents. They might also attempt to register new devices in Microsoft Entra ID to enable ongoing access. LinkedIn

Operational Disruption

For government and critical infrastructure organizations, unauthorized access to key communication systems or sensitive files can disrupt operations, expose classified information, and erode public trust. LinkedIn

Defending Against Device Code Phishing

Given the novel nature of this threat, defending against it requires both technical controls and user awareness:

1. Restrict or Block Device Code Flow

The most effective technical mitigation is to block the device code authentication flow where it is not required. Organizations can implement Conditional Access policies in Microsoft Entra ID to block device code authentication for all users or to enforce an allow-list for specific users, devices, or IP ranges. The Hacker News

2. Enforce Phishing-Resistant MFA

Using authentication methods such as FIDO2 security keys or phishing-resistant MFA apps can help reduce the risk of unauthorized token authorizations, even when a phishing attempt bypasses traditional MFA prompts. LinkedIn

3. Monitor for Suspicious Device Registrations

Administrators should audit device registrations and refresh tokens in Entra ID for signs of compromise. Unusual new devices, especially those registered rapidly after a suspicious sign-in, can be early indicators of account takeover. LinkedIn

4. User Education and Simulation Training

Because device code phishing relies heavily on social engineering, ongoing user training is critical. Users should be taught to question unexpected prompts to enter codes — especially when received via email, messaging apps (like Signal or WhatsApp), or Teams invitations. LinkedIn

5. Incident Response and Token Revocation

If compromise is suspected, administrators can immediately revoke tokens using Microsoft APIs (such as revokeSignInSessions) and reset credentials. They should also enable logging and monitoring tools like Microsoft Defender XDR and Microsoft Sentinel for anomalous access patterns. LinkedIn

Conclusion: A Growing Threat in Cloud Security

The rise of device code phishing represents a significant evolution in phishing tactics — weaponizing legitimate authentication mechanisms to bypass traditional password and MFA defenses. By leveraging Microsoft’s own authentication flow and social engineering, Russia-linked groups like Storm-2372 and UNK_AcademicFlare are achieving account takeovers against high-value targets with stealth and persistence. The Hacker News

Organizations must adapt their defensive strategies to this new reality by configuring Conditional Access policies, enforcing phishing-resistant authentication, and investing in robust user education and monitoring programs. The security landscape is shifting, and what once was considered a secure login workflow can now be manipulated into a powerful attack vector unless proactively defended against.

Comments

Post a Comment