Since September 2025, cybersecurity researchers have identified a phishing campaign that targets Microsoft 365 accounts through a device code authentication workflow. The campaign is attributed to a suspected Russia‑aligned threat actor and is being monitored by the security firm Proofpoint under the codename UNK_AcademicFlare.
Methodology
The attackers exploit the device code authentication feature that Microsoft 365 offers to enable users to sign into services from devices that lack a keyboard or display. Victims receive an email containing a short alphanumeric code and a link to a Microsoft authentication page. When the victim enters the code, the attacker’s command and control server is notified, allowing the threat actor to capture the user’s credentials and take over the account.
In addition to the device code technique, the campaign leverages compromised email addresses that belong to government entities. These addresses are used to send the phishing emails, giving the messages a higher level of credibility and increasing the likelihood that recipients will click the embedded link.
Attribution
Proofpoint’s investigation links the activity to a group that has been observed conducting similar operations in the past. The attribution is based on the use of specific code signatures, infrastructure reuse, and the target selection pattern. While the group’s exact identity remains unclear, analysts classify it as Russia‑aligned due to the consistent use of Russian‑language indicators within the code and the alignment with known Russian threat actor tactics, techniques, and procedures.
Evidence of Russian Alignment
Analysts note that the phishing emails and the command and control infrastructure exhibit language patterns, IP address ranges, and file naming conventions that match those used by other Russian‑linked campaigns. The same malware families that have appeared in previous attacks attributed to Russian actors are also present in this operation.
Impact
So far, the campaign has affected a limited number of Microsoft 365 accounts, primarily within government organizations. The compromised accounts have been used to access sensitive data, modify security settings, and potentially move laterally within the networks of the targeted entities. Because the device code authentication bypasses traditional multi‑factor authentication, the attackers can gain unrestricted access once the code is entered.
Potential Consequences
Account takeover can lead to the exfiltration of confidential information, disruption of services, and the spread of further malware within the victim’s environment. In government contexts, such breaches can compromise national security, impede public services, and erode trust in digital infrastructure.
Reactions
Microsoft has issued a public advisory urging users to verify the authenticity of device code requests and to be cautious when clicking links from unknown senders. The company recommends that administrators enable the “Require multi‑factor authentication for device code flows” setting where available. Proofpoint has advised its clients to block the known malicious domains and to monitor for suspicious authentication activity.
Government Response
Several government agencies have increased their monitoring of Microsoft 365 authentication logs and are conducting internal reviews of their security configurations. No official statements have been released regarding specific incidents or the number of accounts compromised.
Implications for Cybersecurity Practices
This campaign highlights the evolving threat landscape where attackers target authentication mechanisms that were originally designed to improve user convenience. Organizations relying heavily on cloud services must reassess the security of device code authentication, especially when used in environments with high-value targets.
Best Practices for Mitigation
Security teams should enforce strict access controls, employ continuous monitoring of authentication flows, and educate users about the risks associated with phishing emails. Implementing conditional access policies that require additional verification for device code requests can reduce the attack surface.
Conclusion
As the phishing campaign continues, cybersecurity firms and governments are expected to enhance their defenses against device code exploitation. The threat actor’s persistence suggests that additional attacks may be launched if Microsoft 365 remains a primary target. Organizations are advised to stay updated on official advisories, apply recommended security settings, and conduct regular security assessments to detect and mitigate future attempts.
