Search Mobile-alt Envelope Linkedin Bell

Russian hackers target Microsoft 365 accounts with device code phishing

Search Mobile-alt Envelope Bell

Find out more below

Russian hackers target Microsoft 365 accounts with device code phishing

New analysis by Volexity has highlighted how nation-state actors are stealing Microsoft device authentication codes to compromise accounts.

Published on 17th February 2025

Multiple Russian nation-state actors are targeting sensitive Microsoft 365 accounts via device code authentication phishing, a new analysis by Volexity has revealed.

The firm first observed this activity towards the end of January 2025, when the M365 account of one of its customers was successfully compromised in a highly targeted attack.

The technique is more effective at successfully compromising accounts than most other spear-phishing campaigns, according to the researchers.

In the campaign, the attackers impersonate individuals from government departments, including the US Department of State, and prominent research institutions. This is designed to socially engineer targets into providing a specific Microsoft device authentication code, allowing the attackers long-term access to the user’s account.

This tactic is designed to exfiltrate sensitive information from compromised organizations “that would be of interest to a Russian threat actor.”

Device code authentication is a method whereby users can sign into M365 services on devices that lack a full browser interface, like Internet-of-Things (IoT) devices, by using a code displayed on that device and then authenticating on another device, such as a phone.

Volexity assesses with medium confidence that at least one of the threat actors is CozyLarch, which overlaps with the notorious Midnight Blizzard gang. The remaining activity is being tracked under UTA0304 and UTA0307.

Most of the observed attacks originated via spear-phishing emails using a variety of themes. However, one case began with outreach via messaging service Signal.

All of them resulted in the attacker inviting the targeted user to a virtual meeting, access apps and data as an external M365 user or join a chatroom on a secure chat application.

How the Device Code Phishing Attacks Work

In the first incident investigated by Volexity, the victim was contacted on Signal by an individual claiming to be from the Ukrainian Ministry of Defence. The threat actor then requested the victim move off Signal to another secure chat application called Element.

After joining an attacker-controlled Element server controlled by the attacker, the victim was informed they needed to click on a link from an email to join a secure chat room.

The email came from someone with the name of the high-ranking official from the Ukrainian Ministry of Defence.

It was structured to look like a meeting invite for a chatroom on the messaging application, Element.

However, all the hyperlinks in the email were instead linked to the page used for the Microsoft Device Code authentication workflow, taking users to a dialogue box. Once a user entered their specific code into this dialogue, the attackers could then capture the code and gain long-term access to the user’s account.

The generated Device Codes are only valid for 15 minutes once they are created, meaning the victim needed to access the page and input the code quickly after receiving the email.

“As a result, the real-time communication with the victim, and having them expect the “invitation”, served to ensure the phish would succeed through timely coordination,” the researchers explained.

The researchers also observed multiple Russian spear-phishing campaigns in early February 2025, which targeted users with fake Microsoft invitations purporting to be from the US Department of State.

Similarly to the first campaign, the emails aimed to convince the user to accept an invitation for a conference call, with the links directing them to the Microsoft Device Code authentication page.

However, unlike the previous attack, the email was sent out of the blue without any build up or precursor. This means the attempt was less likely to work as the target would have needed to click on the link and input the code within 15 minutes of receiving the email.

Several other similar attacks have been observed by Volexity using fake invitations to various video platforms and chatrooms. These included the impersonation of a member of the European Parliament who is on the Committee on Foreign Affairs requesting a Microsoft Teams meeting to discuss Donald Trump and his impact on relations between the US and the European Union.

Many of these started a conversation prior to sending the link to the Microsoft Device Code authentication page to increase the chances of the target entering the generated code quickly.

In one case, a different device code phishing technique was used. Rather than the email link taking the target to the Microsoft Device Code authentication page, they were instead taken to a website controlled by UTA0307. This page was designed to appear as an official Microsoft interstitial page before the user can join a Microsoft Teams meeting, and was set up to automatically generate a new Microsoft Device Code each time it was visited.

The message on the landing page claimed that the victim needed to pass a security check by copying a code and entering it on a subsequent page. When this supplied code is inputted, it provides the attackers with access to the victim’s M365 account.

Targeting Device Codes Proving Highly Successful

While device code authentication attacks are not new, they have rarely been utilized by nation-state actors, the researchers noted.

The technique is particularly effective, largely because the phishing URLs are on legitimate Microsoft domains, making them recognizable to users.

The attackers also used Proxy IP addresses based in the US to distribute emails, making them appear as though they came from legitimate sources.

“This particular method has been far more effective than the combined effort of years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors,” the researchers wrote.

Volexity said the most effective way of mitigating this attack vector is through conditional access policies on an organization’s M365 tenant. This is relatively simple to set up.

However, they are often not implemented as most organizations are not aware of this authentication flow or its capacity to be abused.

Source

https://www.infosecurity-magazine.com/news/russian-microsoft-device-code/

Image Credit

Ed Hardie via Unsplash

Search
Follow us on social media
Linkedin Youtube
Get the latest updates
Subscribe here
Copyright © EasySAM 2025

The latest updates straight to your inbox

We just need a few details to get you subscribed

More info

Health Checks

SAMplicity 365 Lite

A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.

SAMplicity MOT

Just like you would with your vehicle each year, get an annual check up of your software asset management programme.

SAMplicity Process

Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!

SAMplicity Tool Check

Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.

Inventory & Compliance

SAMplicity Discovery

Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.

SAMplicity One

A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.

SAMplicity Plus

A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.

Cloud Readiness & Optimisation

SAMplicity 365

A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.

SAMplicity Cloud

An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.

Agreement & Audit Support

SAMplicity Contract

In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.

SAMplicity Response

Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.

Learning

SAMplicity Academy

We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.

SAMplicity Training

Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.

View all services

Addleshaw Goddard

Block 64

Capital

Flexera

ITEXACT

Ivanti

License Dashboard

Licensing School

Raynet

Sonar Clarity

TBSC

Xensam

View all partners

What is SAM?

Services

Partners

Blog

Events

Knowledge Base

News

Contact Us

Login

Mobile-alt Envelope Linkedin Bell

Looking for something specific?

Let's see what we can find - just type in what you're after

Wait! Before you go

Have you signed up to our newsletter yet?

It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!

Subscribe here

Cookie Notice

Our website uses cookies to ensure you have the best experience while you're here.

Accept
Reject