Phishing on the Frontlines: Russian Hackers Weaponize Microsoft 365 Device Codes

It starts with a simple, seemingly professional email - an invitation to collaborate, perhaps a request for an expert interview. For targets in government, academia, or critical infrastructure, it’s a familiar routine. But behind the scenes, a sophisticated Russian-linked operation is quietly hijacking digital identities, exploiting trust in Microsoft’s own login system to bypass security and seize control of sensitive accounts.

Security researchers have traced a surge in device code phishing attacks to a suspected Russian group dubbed UNK_AcademicFlare. Since September 2025, these actors have been orchestrating highly targeted campaigns using compromised government and military email addresses. Their playbook: build rapport by discussing the victim’s field of expertise, then send a link to a “document” for review ahead of a fictitious meeting. What appears routine quickly turns sinister - the link leads to a fake OneDrive page hosted on Cloudflare, prompting the victim to enter a device code.

Here’s the twist: the victim is redirected to the real Microsoft device code login page. Entering the code there doesn’t raise suspicions - after all, it’s a familiar workflow. But this code, generated and captured by the attackers, gives them an access token, effectively granting them the keys to the victim’s Microsoft 365 account.

This tactic isn’t limited to state-backed espionage. Proofpoint and other cybersecurity firms have documented criminal groups like TA2723 using similar methods, with lures ranging from fake salary notifications to QR code-laden emails. The rise of turnkey phishing kits - Graphish and SquarePhish in particular - has lowered the barrier to entry, enabling even novice hackers to launch convincing attacks that exploit Microsoft’s trusted authentication process.

Experts warn that device code phishing is especially dangerous because it leverages legitimate technology. Users are conditioned to trust Microsoft’s login pages, making it easy for attackers to slip past even the most vigilant targets. The ultimate goal: unauthorized access to sensitive data, which can be used for espionage, financial theft, or further compromise across an organization’s digital ecosystem.

Defending against this threat is challenging. Microsoft recommends administrators implement Conditional Access policies to restrict device code flows, allowing only trusted users or systems. Where that’s not possible, a strict allow-list approach is advised. But as phishing kits proliferate and attackers refine their social engineering, vigilance and user education remain critical first lines of defense.

The digital battlefield is evolving, with adversaries turning trusted tools against us. As device code phishing moves from espionage to e-crime, every click and code matters. In the age of invisible intruders, the line between legitimate and malicious has never been more blurred - or more dangerous.

WIKICROOK

• Device Code Phishing: Device Code Phishing tricks users into entering attacker-supplied codes on real login pages, allowing account takeover without stealing passwords.
• Access Token: An access token is a temporary digital key that verifies identity and grants secure access to online services or resources without repeated logins.
• Phishing Kit: A phishing kit is a set of ready-made tools that allows criminals to quickly create fake websites and steal sensitive user information.
• Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
• Conditional Access Policy: Conditional Access Policies are rules organizations use to control who can access digital resources, often requiring extra authentication in risky scenarios.