A suspected group with links to Russia has been conducting a phishing campaign aimed at stealing Microsoft 365 credentials through device code authentication workflows. This ongoing activity, tracked by Proofpoint under the name UNK_AcademicFlare, has been active since September 2025.
The group’s strategy involves hacking email accounts belonging to government and military personnel and using these compromised accounts to target organizations in various sectors, including government, think tanks, and education in the U.S. and Europe. Their approach typically starts with benign outreach, mimicking legitimate communication to build rapport and arrange fake meetings.
For instance, the attackers send documents that seem relevant to the recipient’s work, prompting them to review content before the meeting. These links direct victims to a Cloudflare URL disguised as the sender’s OneDrive page, requesting the victim to input a code to access the document. However, this action redirects them to the legitimate Microsoft device code login page, where entering the provided code generates an access token. This token can then be used by the attackers to take control of the victim’s account.
Proofpoint noted that device code phishing tactics were previously detailed by security firms and are attributed to several Russian-aligned hacking groups including Storm-2372 and APT29. Multiple actors, both state-affiliated and cybercriminals, have exploited this phishing method to gain unauthorized access to Microsoft 365 accounts, one being a financially motivated group named TA2723, which has utilized similar tactics in their phishing emails.
The recent campaign in October 2025 was likely supported by readily available crimeware kits, such as the Graphish phishing kit and user-friendly tools like SquarePhish, which enable low-skilled individuals to execute complex phishing operations. The ultimate goal of these phishing scams is to access sensitive data for credential theft, account takeovers, or further compromises.
To mitigate the risks associated with device code phishing, organizations are advised to implement Conditional Access policies that restrict the implementation of device code flows for all users, or adopt allow-list measures for approved users and devices.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.