A group believed to be affiliated with Russia is believed to be behind a phishing campaign that uses device code authentication workflows to steal victims’ Microsoft 365 credentials and conduct account takeover attacks.
This activity, which has been ongoing since September 2025, is tracked by Proofpoint under the following names: UNK_Academic Flare.
This attack involves attacks on organizations within the government, think tanks, higher education, and transportation sectors in the United States and Europe using compromised email addresses belonging to government and military organizations.
“Typically, these compromised email addresses are used for innocuous activities and rapport building related to the target’s field of expertise in order to ultimately arrange fictitious meetings or interviews,” the enterprise security firm said.
As part of these efforts, the attackers claim to share links to documents containing questions and topics that email recipients can review before the meeting. This URL points to a Cloudflare Worker URL that mimics the compromised sender’s Microsoft OneDrive account and instructs victims to copy the provided code and click “Next” to access the supposed document.
However, upon doing so, the user is redirected to a legitimate Microsoft device code login URL, and once the previously provided code is entered, the service generates an access token, which the three attackers then recover to take control of the victim’s account.
Device code phishing was well documented by both Microsoft and Volexity in February 2025, and the use of this attack technique has been attributed to Russian-aligned clusters including Storm-2372, APT29, UTA0304, and UTA0307. For the past few months, Amazon Threat Intelligence and Volexity have warned of continued attacks by Russian threat actors exploiting device code authentication flows.
Proofpoint said UNK_AcademicFlare was likely a Russian-aligned threat actor, given its targeting of Russian experts at multiple think tanks, the Ukrainian government, and energy sector organizations.
The company’s data shows that several state-aligned and financially motivated attackers are using phishing tactics to trick users into granting access to their Microsoft 365 accounts. This includes an electronic crime group named TA2723 that uses payroll-related phishing emails to lure users to fake landing pages and trigger device code verification.
The October 2025 campaign is credited with being facilitated by the ready availability of crimeware products such as the Graphish phishing kit and red team tools such as SquarePhish.
“Like SquarePhish, this tool is designed to be easy to use and does not require advanced technical expertise, lowering the barrier to entry and allowing even less skilled attackers to conduct sophisticated phishing campaigns,” Proofpoint said. “The ultimate goal is unauthorized access to sensitive personal or organizational data, which can be used for credential theft, account takeover, and further security breaches.”
The best option to combat the risk posed by device code phishing is to create a conditional access policy with an authentication flow condition to block device code flow for all users. If that’s not possible, we recommend using a policy that allows device code authentication for authorized users, operating systems, or IP ranges using an allow list approach.
