- A Russia-aligned threat group named UNK_AcademicFlare has conducted a phishing campaign since September 2025 targeting Microsoft 365 users.
- The attacks misuse compromised email accounts from government and military organizations to target sectors like government, think tanks, higher education, and transportation in the U.S. and Europe.
- The phishing scheme exploits Microsoft’s device code authentication flow to hijack account access tokens and take over victim accounts.
- Both state-aligned and criminal actors, including the e-crime group TA2723, have adopted this tactic, supported by widely available phishing kits and tools like Graphish and SquarePhish.
- Countermeasures include implementing Conditional Access policies to block or restrict device code authentication for users.
Since September 2025, a suspected Russia-aligned group known as UNK_AcademicFlare has executed a phishing campaign targeting Microsoft 365 credentials. The campaign mainly impacts entities in government, think tanks, higher education, and transportation sectors across the U.S. and Europe.
The threat actors use compromised email addresses tied to government and military organizations to initiate trusted communications. They build rapport by referencing the targets’ professional expertise and arrange fictitious meetings or interviews. In these interactions, victims receive links to documents hosted on a Cloudflare Worker URL that mimics the sender’s Microsoft OneDrive account. Victims are instructed to copy a provided device code and press “Next” to access these supposed documents.
Entering the code redirects victims to the legitimate Microsoft device code login portal. Once the code is entered, Microsoft generates an access token, enabling the threat actors to seize control of the victim’s account. Proofpoint tracks this campaign under UNK_AcademicFlare, attributing it to Russia-aligned actors due to its focus on Russia-oriented specialists, Ukrainian governmental, and energy organizations. The method has been previously documented by Microsoft and Volexity as a known tactic among Russian groups such as Storm-2372 and APT29 as detailed here.
Other malicious actors, including the financially motivated e-crime group TA2723, have also employed device code phishing. TA2723 uses salary-related bait in phishing messages to lure victims to fake pages that trigger device code authorization. The surge in these attacks has been facilitated by accessible crimeware tools like the Graphish phishing kit and red-team frameworks such as SquarePhish. Proofpoint states, “the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns.”
Device code authentication is a process where a user enters a code on a trusted device to grant an application access without entering their password directly. Attackers misuse this flow to fraudulently acquire tokens that allow account takeover.
To mitigate these risks, it is recommended to enforce Conditional Access policies that block device code authentication flows globally or apply allow-lists restricting device code usage to specific users, devices, or network ranges.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
