Key Findings

• A Russia-aligned threat group, tracked as UNK_AcademicFlare, has been conducting phishing campaigns that abuse Microsoft 365 device code authentication workflows to steal victims' credentials and take over accounts.

• The attacks, ongoing since September 2025, target government, military, think tanks, higher education, and transportation sectors in the U.S. and Europe.

• The adversary uses compromised email addresses belonging to government and military organizations to establish rapport with targets and lure them into entering device code credentials.

• Device code phishing has been documented as a tactic used by Russia-aligned threat clusters such as Storm-2372, APT29, UTA0304, and UTA0307.

• Financially-motivated groups like TA2723 have also adopted this technique, using salary-related lures to direct users to fake landing pages and trigger device code authorization.

• The phishing campaigns are enabled by the availability of user-friendly crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish.

Background

The device code phishing tactic employed by UNK_AcademicFlare involves sending victims a link that redirects them to a Cloudflare Worker URL mimicking the compromised sender's Microsoft OneDrive account. The URL instructs the victim to copy a provided code and click "Next" to access a supposed document. However, this action triggers the generation of an access token that can be recovered by the attackers to take control of the victim's account.

Targeted Sectors

The threat actor has predominantly targeted government, military, think tanks, higher education, and transportation sectors in the U.S. and Europe. By compromising email addresses belonging to these organizations, the adversary is able to build rapport with potential victims and lure them into the phishing scheme.

Tactics and Tools

The phishing campaigns leveraged by UNK_AcademicFlare are facilitated by the availability of user-friendly crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. These tools lower the barrier for entry, enabling even low-skilled threat actors to conduct sophisticated phishing attacks.

Threat Actor Attribution

Proofpoint assesses that UNK_AcademicFlare is likely a Russia-aligned threat actor based on its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations. This aligns with the known tactics, techniques, and targets associated with Russia-linked groups such as Storm-2372, APT29, UTA0304, and UTA0307.

Mitigations

To mitigate the risk posed by device code phishing, security experts recommend creating a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Alternatively, a policy that uses an allow-list approach to permit device code authentication for approved users, operating systems, or IP ranges can also be effective.

Sources

• https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html

• https://blog.netmanageit.com/russia-linked-hackers-use-microsoft-365-device-code-phishing-for-account-takeovers/

• https://x.com/TheCyberSecHub/status/2002095730115424748