Multiple Russian nation-state actors are targeting sensitive Microsoft 365 accounts via device code authentication phishing, a new analysis by Volexity has revealed.
The firm first observed this activity towards the end of January 2025, when the M365 account of one of its customers was successfully compromised in a highly targeted attack.
The technique is more effective at successfully compromising accounts than most other spear-phishing campaigns, according to the researchers.
In the campaign, the attackers impersonate individuals from government departments, including the US Department of State, and prominent research institutions. This is designed to socially engineer targets into providing a specific Microsoft device authentication code, allowing the attackers long-term access to the user’s account.
This tactic is designed to exfiltrate sensitive information from compromised organizations “that would be of interest to a Russian threat actor.”
Device code authentication is a method whereby users can sign into M365 services on devices that lack a full browser interface, like Internet-of-Things (IoT) devices, by using a code displayed on that device and then authenticating on another device, such as a phone.
Volexity assesses with medium confidence that at least one of the threat actors is CozyLarch, which overlaps with the notorious Midnight Blizzard gang. The remaining activity is being tracked under UTA0304 and UTA0307.
Most of the observed attacks originated via spear-phishing emails using a variety of themes. However, one case began with outreach via messaging service Signal.
All of them resulted in the attacker inviting the targeted user to a virtual meeting, access apps and data as an external M365 user or join a chatroom on a secure chat application.
How the Device Code Phishing Attacks Work
In the first incident investigated by Volexity, the victim was contacted on Signal by an individual claiming to be from the Ukrainian Ministry of Defence. The threat actor then requested the victim move off Signal to another secure chat application called Element.
After joining an attacker-controlled Element server controlled by the attacker, the victim was informed they needed to click on a link from an email to join a secure chat room.
The email came from someone with the name of the high-ranking official from the Ukrainian Ministry of Defence.
It was structured to look like a meeting invite for a chatroom on the messaging application, Element.
However, all the hyperlinks in the email were instead linked to the page used for the Microsoft Device Code authentication workflow, taking users to a dialogue box. Once a user entered their specific code into this dialogue, the attackers could then capture the code and gain long-term access to the user’s account.
The generated Device Codes are only valid for 15 minutes once they are created, meaning the victim needed to access the page and input the code quickly after receiving the email.
“As a result, the real-time communication with the victim, and having them expect the "invitation", served to ensure the phish would succeed through timely coordination,” the researchers explained.
No tags.
