Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

A phishing campaign has been linked to a group thought to be affiliated with Russia. Proofpoint is monitoring the activity, which has been going on since September 2025, under the name UNK_AcademicFlare. The attacks target organizations in the government, think tanks, higher education, and transportation sectors in the United States and Europe by using compromised email addresses that belong to military and governmental organizations.

In February 2025, Microsoft and Volexity published a detailed report on device code phishing, linking the attack technique to Russia-aligned clusters like Storm-2372, APT29, UTA0304, and UTA0307. The best way to combat the threat of device code phishers is to use the Authentication Flows condition to create a Conditional Access policy that blocks device code flow for all users. If that isn't possible, it's suggested using an allow-list method to permit device code authentication for IP ranges, operating systems, or authorized users.

According to Proofpoint, the October 2025 campaign was driven by the easy access to red-team tools like SquarePhish and crimeware offerings like the Graphish phishing kit. Unauthorized access to sensitive personal or organizational data, which can be used for account takeover, credential theft, and additional compromise, is the ultimate goal, according to the security firm. This includes an e-crime group called TA2723, which has directed users to phony landing pages and triggered device code authorization by using salary-related lures in phishing emails.