Security researchers have identified an ongoing phishing campaign that abuses Microsoft’s device code authentication flow to hijack Microsoft 365 accounts. The activity, attributed to a suspected Russia-aligned threat actor tracked as UNK_AcademicFlare, targets government, military, academic, and transportation organizations across the United States and Europe.

Rather than stealing passwords directly, the attackers manipulate legitimate authentication mechanisms to obtain access tokens, enabling full account takeover without triggering traditional credential theft defenses. The campaign highlights a growing trend in which threat actors weaponize trusted identity workflows instead of exploiting software vulnerabilities.

Device code authentication is designed to help users sign in on devices with limited input capabilities, such as smart TVs or IoT systems. Microsoft allows users to enter a short code on a trusted device to approve sign-in elsewhere.

While convenient, this workflow has become a high-value target. Since early 2025, multiple Russian-aligned and criminal groups have repurposed device code flows for phishing, bypassing password protections and multi-factor authentication under certain conditions.

According to Proofpoint, UNK_AcademicFlare has been active since at least September 2025. The group begins by sending carefully crafted emails from previously compromised government or military email accounts.

These messages establish credibility through benign outreach tied to the recipient’s professional expertise, often proposing an interview, meeting, or academic collaboration.

Victims are then directed to review a document via a link hosted on a Cloudflare Worker. The page impersonates a Microsoft OneDrive document and instructs the user to copy a provided code and click “Next” to view the file.

The phishing page ultimately redirects victims to Microsoft’s legitimate device code login portal. When the user enters the supplied code, Microsoft generates an OAuth access token.

Instead of granting access to the victim, the token is intercepted by the attacker, allowing them to:

Because the process uses legitimate Microsoft infrastructure, traditional phishing indicators are often absent.

Proofpoint notes that this technique mirrors earlier campaigns attributed to Russian-aligned clusters such as Storm-2372 and APT29, as well as criminal groups using tools like Graphish and SquarePhish.

Compromised accounts can be leveraged for espionage, internal reconnaissance, and follow-on attacks. In high-trust environments like government and academia, a single account takeover can enable lateral movement, data theft, or influence operations.

The reuse of legitimate identity flows also complicates detection and response, particularly for organizations that rely heavily on Microsoft 365.

This campaign underscores a critical shift in phishing strategy: attackers are no longer just stealing credentials—they are hijacking authentication itself.

As identity platforms become more secure, adversaries are adapting by exploiting how users interact with those systems, turning convenience features into attack vectors.

Proofpoint warns that the low barrier to entry for device code phishing tools enables rapid adoption by both nation-state and criminal actors.

“These kits lower the technical threshold, allowing even low-skilled operators to execute highly effective account takeover campaigns,” the company noted.