Skip to content
Breaking
Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech Latest technical intelligence from Northeast India • Infrastructure, AI, Cloud & Security Analysis • Precision Analysis | Raw Intelligence | Your North Star of Tech
SECURITY

Analysis: Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Target Microsoft 365 Accounts in Phishing Campaign

Russia-Linked Hackers Target Microsoft 365 Accounts in Phishing Campaign

A recently uncovered phishing campaign has raised concerns about the security of Microsoft 365 accounts, with suspected Russia-aligned hackers using device code authentication workflows to steal credentials and conduct account takeover attacks. This article provides an analysis of the ongoing threat and its implications for users in North East India and beyond.

The Phishing Tactics and Targets

The phishing campaign, known as UNK_AcademicFlare, has been active since September 2025 and primarily targets entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The attacks often begin with compromised email addresses belonging to government and military organizations, which are used to establish contact with the targets and arrange fictitious meetings or interviews.

The Device Code Phishing Technique

In these efforts, the adversary shares a link to a document that supposedly contains questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account. The victim is then instructed to copy the provided code and click "Next" to access the document. However, this action redirects the user to the legitimate Microsoft device code login URL. Once the previously provided code is entered, it generates an access token that can be recovered by the attackers to take control of the victim's account.

The Threat Landscape and Connections to India

This type of phishing attack, known as device code phishing, has been documented by both Microsoft and Volexity in February 2025, with Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307 being attributed to its use. Over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors that abuse the device code authentication flow.

While the attacks primarily target entities in the U.S. and Europe, the threat landscape is global, and users in North East India should also be vigilant. Given the targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations, it's essential for organizations and individuals in India with connections to these regions to be particularly cautious.

The Role of Crimeware and the Future of Phishing

Data from Proofpoint shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts. This includes an e-crime group named TA2723 that has used salary-related lures in phishing emails to direct users to fake landing pages and trigger device code authorization.

The ongoing availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish lower the barrier for entry, enabling even low-skilled threat actors to conduct sophisticated phishing campaigns. As such, it's crucial for users to stay informed about the latest phishing tactics and to take appropriate measures to protect their accounts.

Countering the Risk of Device Code Phishing

To counter the risk posed by device code phishing, Proofpoint recommends creating a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

By staying informed about the latest threats and taking proactive measures to secure their Microsoft 365 accounts, users in North East India and beyond can help protect themselves against the ongoing device code phishing campaign and similar threats in the future.