Executive Summary
In September 2025, a Russia-linked threat group identified as UNK_AcademicFlare launched a sophisticated phishing campaign targeting Microsoft 365 users via the device code authentication workflow. By leveraging compromised email accounts from government and academic sectors, attackers sent plausible phishing messages that tricked recipients into authorizing malicious device codes, leading to credential theft and account takeovers. The campaign enabled widespread unauthorized access to cloud platforms, risking data exposure and significant operational impact—particularly for targeted organizations with weak multi-factor authentication (MFA) policies.<br><br>Such attacks reflect an increasing trend in adversaries using native authentication flows to bypass defenses and highlight growing risks around cloud account compromises. Regulatory scrutiny is intensifying, and organizations must urgently strengthen identity controls and security monitoring to address these evolving social engineering tactics.
Why This Matters Now
This incident exemplifies the escalation of cloud-based social engineering attacks exploiting legitimate authentication workflows to bypass traditional security measures. As attackers continue to innovate their credential theft techniques, urgent improvements are needed in identity protection, MFA enforcement, and detection of anomalous access, especially for organizations relying on Microsoft 365 and similar platforms.
Attack Path Analysis
Attackers initiated their campaign by phishing users with Microsoft 365 device code authentication techniques, compromising cloud identities. Gaining valid credentials granted them elevated access to targeted accounts. The adversaries likely moved laterally within cloud environments and SaaS resources, exploiting access to explore internal systems. Command and control was maintained through continuous use of compromised accounts and covert outbound traffic. Sensitive emails or data were exfiltrated using permitted SaaS functions and network egress. Attack impact included account takeovers, sustained unauthorized access, and potential data leakage.
Kill Chain Progression
Initial Compromise
Description
Attackers used device code phishing to trick users into providing Microsoft 365 credentials, succeeded in hijacking cloud accounts.
Related CVEs
CVE-2025-22944
CVSS 8.8A remote code execution vulnerability in Microsoft 365 Apps for Enterprise allows attackers to execute arbitrary code via malicious files.
Affected Products:
Microsoft Microsoft 365 Apps for Enterprise – Version 2409, Build 16829.20234
Exploit Status:
no public exploitCVE-2025-53786
CVSS 8An improper authentication vulnerability in hybrid Exchange deployments allows attackers with administrative access to escalate privileges into Exchange Online.
Affected Products:
Microsoft Exchange Server – 2016, 2019, Subscription Edition
Exploit Status:
no public exploitCVE-2025-53770
CVSS 9.8A remote code execution vulnerability in Microsoft SharePoint Server allows unauthenticated attackers to execute arbitrary code.
Affected Products:
Microsoft SharePoint Server – 2016, 2019, Subscription Edition
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Modify Authentication Process: Web Portal
Valid Accounts: Cloud Accounts
Brute Force: Password Spraying
Application Layer Protocol: Web Protocols
Email Collection: Remote Email Collection
Spearphishing Link
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Phishing-Resistant Authentication
Control ID: Identity Pillar - Authentication
NIS2 Directive – Incident Prevention and Detection Capabilities
Control ID: Art. 21(2)(b)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct targeting via compromised government emails for Microsoft 365 credential theft creates severe risks for classified data and administrative systems breach.
Financial Services
Device code phishing threatens regulatory compliance through credential theft, potentially exposing client data and violating PCI/HIPAA security requirements identified.
Information Technology/IT
Russia-linked credential theft campaign directly impacts IT infrastructure management, requiring enhanced zero trust segmentation and threat detection capabilities implementation.
Computer/Network Security
Ongoing phishing attacks since September 2025 challenge existing security frameworks, demanding improved egress filtering and anomaly detection response mechanisms.
Sources
- Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovershttps://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.htmlVerified
- Storm-2372 conducts device code phishing campaign | Microsoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/Verified
- What is device code phishing, and why are Russian spies so successful at it? - Ars Technicahttps://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/Verified
- Phishing campaign targets Microsoft device-code authentication flows | Cybersecurity Divehttps://www.cybersecuritydive.com/news/phishing-campaign-targets-microsoft-device-code-authentication-flows/740201/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as identity-based network segmentation, workload isolation, threat detection, and egress policy enforcement could have identified compromised accounts, limited attacker movement, and blocked exfiltration attempts at multiple kill chain stages. CNSF-native security fabric capabilities restrict adversary paths by enforcing least privilege, decrypting suspicious traffic, and providing deep visibility across the cloud environment.
Control: Multicloud Visibility & Control
Mitigation: Early detection of new or unusual device authentication flows.
Control: Zero Trust Segmentation
Mitigation: Limits access scope and lateral escalation even with a valid account.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized inter-service or cross-region movement.
Control: Threat Detection & Anomaly Response
Mitigation: Detects and alerts on suspicious outbound C2 patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or flags unsanctioned outbound data flows.
Orchestrates response and real-time enforcement to contain blast radius.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- Collaboration Platforms
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive emails, documents, and internal communications due to unauthorized access to Microsoft 365 accounts.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce centralized visibility and anomaly detection across SaaS and cloud access events.
- • Apply identity-based zero trust segmentation to strictly limit movement after credential theft.
- • Deploy east-west traffic security and microsegmentation to prevent workload lateralization.
- • Implement stringent egress controls and outbound policy filtering for regulated data paths.
- • Integrate distributed incident response automation for real-time isolation and blast radius containment.
