A Russia-aligned threat group, UNK_AcademicFlare, has been conducting a phishing campaign targeting Microsoft 365 credentials to facilitate account takeovers. The campaigns exploit device code authentication workflows and involve compromised emails from government and military sources. #UNK_AcademicFlare #DeviceCodePhishing
Keypoints
- The campaign has been active since September 2025, targeting government and military organizations.
- Threat actors use compromised email addresses to build rapport before directing victims to fake documents linked to malicious device code authentication.
- The attack relies on a Cloudflare Worker URL mimicking Microsoft OneDrive to steal device codes and generate access tokens.
- Russian threat groups like Storm-2372, APT29, UTA0304, and UTA0307 have previously used similar device code phishing techniques.
- Mitigation involves creating Conditional Access policies to block or allow device code flows for specific users or systems.
Read More: https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html