Cybersecurity researchers have linked a suspected Russia aligned threat group to an ongoing phishing campaign that exploits Microsoft 365 device code authentication workflows to steal credentials and take over user accounts. The activity, which has been active since September 2025, is being tracked by Proofpoint under the name UNK_AcademicFlare. The campaign targets organizations across the government, military, think tank, higher education, and transportation sectors in the United States and Europe, with attackers relying on trusted communication patterns and legitimate cloud infrastructure to increase the success rate of their operations.
According to Proofpoint, the attackers use compromised email accounts belonging to government and military organizations as the initial point of contact. These accounts are leveraged to conduct seemingly harmless outreach that aligns closely with the professional background and expertise of the intended victims. The messages often involve academic style engagement, such as requests for interviews, collaborative discussions, or expert commentary, allowing the threat actors to build rapport before advancing the attack. Once trust is established, the victim is sent a link to what is described as a document containing discussion topics or interview questions that should be reviewed ahead of a proposed meeting. The link directs the recipient to a Cloudflare Worker URL that closely imitates the compromised sender’s Microsoft OneDrive environment, reinforcing the illusion of legitimacy and continuity in the conversation.
When victims attempt to access the document, they are instructed to copy a provided authentication code and click a prompt labeled Next to proceed. This action redirects them to Microsoft’s legitimate device code login page. By entering the supplied code, the victim unknowingly authorizes the generation of an access token tied to their Microsoft 365 account. Researchers explained that this token can then be captured by the attackers, enabling them to gain control of the account without directly harvesting the user’s password. This method allows account takeover to occur silently, often without triggering immediate suspicion. Device code phishing has previously been documented by Microsoft and Volexity in early 2025, with multiple Russia aligned clusters observed abusing the same authentication flow. Recent warnings from Amazon Threat Intelligence and Volexity indicate that similar techniques continue to be actively used by Russian threat actors.
Proofpoint assessed with moderate confidence that UNK_AcademicFlare is Russia aligned, citing its consistent focus on Russia related policy experts, multiple think tanks, and organizations connected to Ukrainian government and energy sectors. The company’s findings also highlight that this technique is no longer limited to state aligned actors. Several financially motivated groups have adopted device code phishing as a low friction method for account compromise. One such group, tracked as TA2723, has used salary themed lures to direct victims to fake landing pages that initiate device code authorization. The October 2025 activity surge was attributed in part to the growing availability of commercial crimeware tools, including phishing kits such as Graphish and red team style platforms like SquarePhish, which lower the technical barrier required to launch sophisticated cloud focused phishing campaigns.
Security researchers warned that these tools are designed to be easy to operate and require minimal expertise, enabling a broader range of actors to conduct high impact attacks against cloud identities. The end goal remains unauthorized access to sensitive organizational and personal data, which can be used for credential theft, internal reconnaissance, and further compromise. To mitigate the risk posed by device code phishing, security teams are advised to implement Conditional Access policies that restrict or block device code authentication flows. Where outright blocking is not practical, organizations are encouraged to apply strict allow lists based on user roles, operating systems, or trusted network locations to limit exposure while maintaining operational needs.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
