Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
Meanwhile, a suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims’ Microsoft 365 credentials and conduct account takeover attacks.
However, the activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare.
Consequently, the attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe.
Device Code Phishing: A Growing Threat
Moreover, device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307.
Therefore, over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors by abusing the device code authentication flow.
In addition, data from the company shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts.
Countering the Risk
Consequently, to counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users.
However, if that’s not feasible, it’s advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.
Meanwhile, Proofpoint said UNK_AcademicFlare is likely a Russia-aligned threat actor given its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations.
Prevention is Key
Therefore, the ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.
Moreover, the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish has fueled the October 2025 campaign.
Consequently, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns.
Conclusion
However, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users.
Meanwhile, if that’s not feasible, it’s advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.
Therefore, prevention is key to countering the risk posed by device code phishing.
Source: Link
