BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Russia-Linked Group Uses Device Code Phishing to Steal M365 Credentials

Russia-Aligned UNK_AcademicFlare Group Exploits Microsoft 365 Device Code Authentication in Widespread Phishing Campaign Targeting Government and Critical Sectors

  • A Russia-aligned threat group named UNK_AcademicFlare has conducted a phishing campaign since September 2025 targeting Microsoft 365 users.
  • The attacks misuse compromised email accounts from government and military organizations to target sectors like government, think tanks, higher education, and transportation in the U.S. and Europe.
  • The phishing scheme exploits Microsoft’s device code authentication flow to hijack account access tokens and take over victim accounts.
  • Both state-aligned and criminal actors, including the e-crime group TA2723, have adopted this tactic, supported by widely available phishing kits and tools like Graphish and SquarePhish.
  • Countermeasures include implementing Conditional Access policies to block or restrict device code authentication for users.

Since September 2025, a suspected Russia-aligned group known as UNK_AcademicFlare has executed a phishing campaign targeting Microsoft 365 credentials. The campaign mainly impacts entities in government, think tanks, higher education, and transportation sectors across the U.S. and Europe.

- Advertisement -

The threat actors use compromised email addresses tied to government and military organizations to initiate trusted communications. They build rapport by referencing the targets’ professional expertise and arrange fictitious meetings or interviews. In these interactions, victims receive links to documents hosted on a Cloudflare Worker URL that mimics the sender’s Microsoft OneDrive account. Victims are instructed to copy a provided device code and press “Next” to access these supposed documents.

Entering the code redirects victims to the legitimate Microsoft device code login portal. Once the code is entered, Microsoft generates an access token, enabling the threat actors to seize control of the victim’s account. Proofpoint tracks this campaign under UNK_AcademicFlare, attributing it to Russia-aligned actors due to its focus on Russia-oriented specialists, Ukrainian governmental, and energy organizations. The method has been previously documented by Microsoft and Volexity as a known tactic among Russian groups such as Storm-2372 and APT29 as detailed here.

Other malicious actors, including the financially motivated e-crime group TA2723, have also employed device code phishing. TA2723 uses salary-related bait in phishing messages to lure victims to fake pages that trigger device code authorization. The surge in these attacks has been facilitated by accessible crimeware tools like the Graphish phishing kit and red-team frameworks such as SquarePhish. Proofpoint states, “the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns.”

Device code authentication is a process where a user enters a code on a trusted device to grant an application access without entering their password directly. Attackers misuse this flow to fraudulently acquire tokens that allow account takeover.

- Advertisement -

To mitigate these risks, it is recommended to enforce Conditional Access policies that block device code authentication flows globally or apply allow-lists restricting device code usage to specific users, devices, or network ranges.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Three OpenClaw AI flaws allow host takeover via WhatsApp

Three high-severity flaws in the OpenClaw AI assistant (CVSS 8.8, 8.8, 8.4) could enable...

Morgan Stanley Reiterates Nvidia Buy, Sets $288 Target

NVIDIA stock opened Friday at $202, trading within a $190–$210 range.Morgan Stanley analyst Joseph...

Trump rejects CBDC housing bill; becomes law automatically

President Trump announced he will not sign a bipartisan housing bill that includes a...

Robinhood Chain Ranks Top 5 in DEX Volume Days After Launch

Robinhood Chain entered the top five blockchains by 24-hour DEX trading volume less than...

Bitcoin Rises as $1T Parabolic Move Looms, ETF Outflow Threatens

Bitcoin has recovered nearly 10% after falling below $60,000, with traders eyeing a potential...

Must Read

Symbiosis Crypto Bridge: Your Guide to Moving Assets Between Blockchains

What is a Cross-Chain Crypto Bridge?Why Choose Symbiosis for Your Cross-Chain Needs?Support for 50+ BlockchainsAutomatic Routing for the Best RatesNo Need for RegistrationDirect Wallet...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading