Hackers that may be linked to the Russian government are actively targeting Microsoft accounts through device code authentication phishing, according to recent research from cybersecurity firm Volexity.

The attacks have been alarmingly successful, compromising high-profile accounts in government agencies, research institutions, and major enterprise businesses.

This technique has proven more effective than traditional spear-phishing campaigns. It exploits legitimate Microsoft services to deceive victims rather than hiding malicious links in fake emails. The hackers impersonate officials from entities such as the U.S. Department of State and prominent research organizations, tricking targets into providing authentication codes that grant long-term access to their accounts.

Have you been a victim of ransomware? See our article on how gangs exploit Microsoft Teams

 

How Device Code Phishing Works

Device code authentication allows users to log into M365 services on devices without a full web browser, such as Internet of Things (IoT) devices. Attackers exploit this mechanism by persuading victims to enter a device authentication code, granting unauthorized access to their M365 accounts.

According to Microsoft and Volexity, the Russian-linked threat groups Storm-2372, CozyLarch, UTA0304, and UTA0307 have been behind these sophisticated phishing operations. The campaigns involve multiple social engineering tactics, including:

  • Posing as government or research officials through messaging apps like WhatsApp, Signal, and Microsoft Teams.
  • Sending fake Microsoft Teams invites that appear to come from high-ranking officials or well-known organizations.
  • Directing victims to an authentic Microsoft login page, where they are prompted to enter an authentication code previously requested by the attackers.
  • Capturing the entered code and using it to generate a valid access token, granting attackers persistent access to emails, cloud data, and other sensitive files.

 

Several High-Profile Incidents

Signal to Element Chatroom Trap

In one instance investigated by Volexity, a victim was contacted via Signal by an individual claiming to be a Ukrainian Ministry of Defence official. After building rapport, the attacker urged the target to switch to Element, a secure messaging platform.

The victim was then sent an email, seemingly from a high-ranking Ukrainian official, containing an invitation to a secure chatroom. However, instead of leading to Element, all hyperlinks redirected the victim to a Microsoft Device Code authentication page. Once the victim entered their device code, the attacker obtained long-term access to their Microsoft 365 account.

To increase their success rate, the hackers coordinated the phishing attempt in real time, ensuring victims entered the code within the required 15-minute validity window.

 

Fake U.S. Government Conference Call

In another attack observed in February 2025, hackers sent fraudulent Microsoft Teams invitations, posing as U.S. Department of State officials. These emails invited targets to join a virtual conference call but instead led to a Microsoft authentication page, where victims were instructed to enter an attacker-generated device code.

Unlike the first attack, this phishing attempt had no preliminary engagement, making it less likely to succeed. Victims needed to input the code within 15 minutes without any prior warning.

 

European Parliament Impersonation

In a third case, cybercriminals pretended to be a European Parliament member from the Committee on Foreign Affairs. The email invited recipients to a Microsoft Teams meeting to discuss Donald Trump’s impact on U.S.-EU relations.

To enhance credibility, attackers engaged in conversation before sending the malicious link, ensuring the victim entered the device code quickly.

 

Evolution of the Phishing Technique

In a more advanced version of the attack, threat group UTA0307 used a fake Microsoft Teams landing page instead of linking directly to Microsoft’s authentication site.

  • This spoofed Microsoft page automatically generated a new authentication code upon each visit.
  • The page claimed the victim needed to complete a security check by copying and pasting a code into a secondary page.
  • Once entered, this code gave the attackers access to the victim’s M365 account.

Microsoft recently boosted its security efforts with Phishing Alerts for users.

 

Why This Attack Is So Effective?

Device code authentication phishing is especially dangerous because:

  • It uses legitimate Microsoft login pages, making the scam appear authentic.
  • Attackers leverage U.S.-based proxy IPs, making their emails look like they originate from legitimate sources.
  • There is no need to steal passwords, as access is granted through an authentication token.
  • Most organizations are unaware of this attack vector, making them more vulnerable.

Researchers at Volexity noted that these device code phishing attacks have been more successful than years of other social engineering attempts by the same Russian-linked threat actors.

 

How to Protect Against Device Code Phishing

Microsoft and Volexity recommend several preventative measures to mitigate these attacks:

  • Restrict device code authentication to only essential use cases.
  • Implement conditional access policies on M365 to prevent unauthorized logins.
  • Monitor for suspicious login requests, particularly those involving device codes.
  • Revoke refresh tokens immediately if phishing is suspected.
  • Educate employees on the dangers of device code phishing and encourage them to verify unexpected meeting invites.

Take a look at our top Microsoft Teams Security and Compliance Vendors here.

While Microsoft has not identified any vulnerabilities in its software enabling these attacks, it continues to track and notify compromised users. Meanwhile, cybercriminals appear to be refining their techniques, making vigilance and strong cybersecurity measures critical for organizations facing these threats.



from UC Today https://ift.tt/E9laXYt