A suspected Russia-aligned threat group has been identified for a phishing campaign targeting Microsoft 365 users by exploiting device code authentication flows to steal credentials and conduct account takeovers.
The campaign, active since September 2025, is tracked by Proofpoint under the designation UNK_AcademicFlare. Attackers have primarily targeted email accounts associated with government and military organizations, using them to reach organizations in the U.S. and Europe, including government agencies, think tanks, higher education institutions, and the transportation sector.
According to Proofpoint, the compromised accounts are often leveraged for seemingly legitimate communications, such as establishing rapport with the target or scheduling fictitious meetings and interviews. As part of these operations, attackers send a link to a document with questions or topics for review before the supposed meeting. This URL, hosted on a Cloudflare Worker, mimics the compromised sender’s Microsoft OneDrive account. Victims are instructed to copy a provided code and click “Next” to access the document.
Following this step, users are redirected to Microsoft’s official device code login page. Once the code is entered, Microsoft generates an access token, which the attackers can retrieve to gain unauthorized control of the account.
Device code phishing has been documented previously by Microsoft and Volexity in February 2025, with attribution to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. Recent warnings from Amazon Threat Intelligence and Volexity indicate ongoing exploitation of this technique by Russian threat actors.
Proofpoint emphasizes that UNK_AcademicFlare is likely a Russia-aligned actor due to its targeting of Russia-focused experts at think tanks, as well as Ukrainian government and energy sector organizations.
Research shows that both state-aligned and financially motivated cybercriminals have adopted this phishing tactic. One e-crime group, TA2723, used salary-related phishing lures to trick users into visiting fake landing pages and triggering device code authentication. The October 2025 campaign was reportedly supported by accessible crimeware kits like Graphish and red-team tools such as SquarePhish, designed for ease of use without advanced technical skills, allowing even low-skilled actors to conduct sophisticated attacks.
The primary objective of these attacks is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.
To mitigate device code phishing risks, organizations are advised to implement a Conditional Access policy with the Authentication Flows condition to block device code usage for all users. If a complete block is not feasible, an allow-list policy can be applied to restrict device code authentication to approved users, operating systems, or IP ranges.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
