Russia-Linked Hackers Exploit Microsoft 365 Device Code Authentication to Bypass Security
A Russia-linked threat group, tracked as UNK_AcademicFlare by Proofpoint, has been conducting a phishing campaign targeting Microsoft 365 accounts since September 2025. The attackers are exploiting the legitimate device code authentication flow to steal credentials and take over accounts. This technique bypasses traditional security measures by abusing Microsoft's OAuth 2.0 implementation for devices with limited input capabilities. The device code flow is typically used for smart TVs or IoT devices where users enter a code on another device to authenticate. Attackers are likely sending phishing emails that initiate this flow, tricking users into authorizing access to their accounts. The compromised email accounts belong to government entities, suggesting a targeted espionage campaign. This approach is particularly insidious because it leverages Microsoft's own authentication infrastructure, making it difficult for security tools to detect malicious activity. Traditional phishing protections that look for fake login pages are ineffective against this method. Moreover, if users approve the device code, it can bypass multi-factor authentication (MFA) protections. The campaign highlights a growing trend of attackers abusing legitimate authentication mechanisms. Organizations should educate users about the proper use of device code flows and monitor for unusual authorization requests. Microsoft could enhance security by providing more context during device code approvals and allowing organizations to restrict which applications can use this flow. However, the timeline of the campaign is unusual, as it is reported to have started in September 2025, with the article dated December 2025. Given that we are currently in June 2025, this suggests a possible error in the source material dates. Nonetheless, the technical details of the attack method are sound and represent a real threat vector. Cybersecurity professionals should be aware of this technique and consider implementing additional protections around device code authentication flows.