The global network infrastructure is experiencing a wave of sophisticated cyber intrusions as states-sponsored and financially motivated hackers are increasingly exploiting a legitimate Microsoft authentication mechanism to seize control of enterprise accounts in a broad range of sectors.
There has been a recent investigation which uncovered attackers with ties to both Russian and Chinese interests have been exploiting Microsoft's OAuth 2.0 device authorization grant flow in an effort to deceive users into unknowingly granting them access to their Microsoft 365 environments through this feature designed to simplify secure logins.
Through the use of fraudulently masquerading institutions and convincing targets to authenticate using authentic Microsoft services, attackers are able to obtain valid access tokens that enable persistent account compromises without requiring the compromise of the target's password.
The Russian-linked threat actor Storm-2372 has been targeting government bodies and private organizations since August 2024 and has been one of the most active groups in this regard.
In order to get the highest level of effectiveness from the device code phishing tactics, it has been proven to be more effective than conventional spear-phishing tactics. It has been conducted throughout Africa, Europe, the Middle East, and North America. Government, defence, healthcare, telecommunications, education, energy, and non-government organizations have been included in the campaign.
It has been determined that the scale, targeting patterns, and operational discipline of the activity strongly point towards a coordinated nation-state effort aligned with Russian strategic objectives, as confirmed by Microsoft's Threat Intelligence Center.
The campaign is now more clearly connected to an organization believed to be aligned with the Russian government. It has been a sustained phishing operation that leveraged Microsoft's device code authentication workflow to compromise Microsoft 365 accounts by using a sustained phishing operation.
Under the designation UNK_AcademicFlare, Proofpoint has tracked this activity since September 2025 under the designation UNK_AcademicFlare.
Investigators believe the attackers used email accounts that had previously been compromised from government and military organizations so that they could lend legitimacy to their outreach efforts. In both the United States and Europe, the messages were targeted at individuals and organizations within government agencies, policy think tanks, higher education institutions, and transportation-related organizations.
There are deliberate steps involved in the approach. It begins with seemingly innocuous correspondence tailored to the recipient’s professional background, usually framed as preparations for an interview or collaboration. In order for victims to be informed, the sender will offer a document purported to outline discussion topics. The document will be hosted at a link that appears to be a Microsoft OneDrive account impersonating the sender.
There is a link within the email that actually redirects users to a Cloudflare Worker, which redirects the user to Microsoft's legitimate account lock page, during which the user enters the provided authentication code, which unwittingly authorizes access and generates a valid token that enables full account hijacking.
Researchers in the field of cybersecurity note that this technique has gained traction, having been extensively documented earlier this year by Microsoft and Volexity and linked to clusters that are associated with Russia, such as Storm-2372 and APT29.
Recent warnings from Amazon Threat Intelligence and Volexity have shown that it is still being used by Russian attackers.
According to the latest technical details published by Microsoft and independent researchers, there have been several mechanisms behind the campaign that can shed light on the mechanisms that operate behind it.
A Microsoft disclosure dated February 14, 2025 confirmed that Storm-2372 had begun authenticating through a specific Microsoft Authentication Broker client ID while using the device code sign-in method, which in turn allowed attackers to get refresh access tokens with the new Authentication Broker client ID.
A device registration token can be exchanged into credentials linked to the device registration service after it has been acquired by an adversary, which makes it possible for that adversary to enroll attacker-controlled systems into Microsoft Entra ID and maintain persistent access for massive email harvesting operations.
As a result of investigations, high-profile institutions such as the United States Department of State, the Ukrainian Ministry of Defense, the European Parliament, and prominent research organizations have been impersonated in the activities. Researchers have concluded that APT29, a group of malicious actors also known as Cozy Bear, Midnight Blizzard, Cloaked Ursa, and The Dukes, may be the cluster that is driving this activity.
According to Volexity's case studies, operators are exploiting real-time communication channels as a means of accelerating victim compliance through real-time communication channels. In one incident, UTA0304 contacted a victim via Signal before moving the conversation to Element, and ultimately directed the target to a legitimate Microsoft page asking for an account code, pretending to be a secure chat service provider.
A malicious attacker might use immediacy and context to convince the victims to act quickly, a tactic similar to those employed by marketing groups to promote Microsoft Teams meetings held by groups related to the phishing attack.
A response from Microsoft has been to disable the device code flow whenever possible, restrict Entra ID access to trusted networks and devices via Conditional Access, and actively monitor sign-in logs for anomaly activity related to device code, including rapid authentication attempts and logins that originate from unknown locations, in order to prevent this from happening.
It is highly likely that organisations will have to implement layered technical controls in order to reduce exposure to this evolving threat in light of the fact that employee awareness alone cannot counter this evolving threat. In its recommendation to enterprises, Proofpoint recommends explicitly limiting the use of device code authentication. This can be described as the most effective way to prevent misuse of the OAuth device flow by enterprises.
The adoption of such control systems begins with auditing or report-only deployments, which allows security teams to evaluate potential operational impacts by analyzing historical sign-in data before implementing them in their entirety.
Providing a more granular, allow-list-based approach where a complete block is not feasible, researchers recommend that device code authentication be limited to narrowly defined and approved scenarios, for example, specific users, operating systems that are trusted, or network locations that are well known.
In addition to these safeguards, additional safeguards can also be implemented by requiring Microsoft 365 sign-ins to originate from compliant or registered devices, particularly in environments that use device registration or Microsoft Intune as authentication methods. Proofpoint warns, however, that misuse of OAuth authentication mechanisms is likely to increase as organizations begin adopting FIDO-compliant multifactor authentication, thus highlighting the need to implement proactive policies and continuous monitoring of these systems.
Furthermore, researchers have also discovered a broader ecosystem of infrastructure and social engineering techniques that are being used to maintain and expand the campaign, which is ongoing. During the analysis of the phishing URLs, researchers noted that some of them were temporarily inactive. However, the accompanying emails instructed recipients to copy and share the full URL of the browser in case of an error, which is consistent with the tactics used for OAuth device code phishing to extract usable authentication data.
Among the domains involved, ustrs[.]com, seems to have been purchased as a result of a domain auction or resale service. Though the domain was originally registered in early 2020, WHOIS records indicate that it was updated in late 2025, a strategy that has long been used as a way of evading reputation-based security controls that rely heavily on domain age as a signal of trustworthiness.
It was Volexity that observed the same sender approach additional organizations in November 2025, promoting a conference registration link on brussels-indo-pacific-forum[.]org, which has been created to mimic the Brussels Indo-Pacific Dialogue, in an attempt to fool the target audience.
As soon as the victims attempted to sign up for the site, they were presented with a Microsoft 365 authentication process disguised as a legitimate signup process, which then sent them to a benign confirmation page.
According to research conducted in connection with Belgrade Security Conference earlier campaigns, subsequent access to compromised accounts was routed through proxy network infrastructures to conceal the attackers' origin, as seen in earlier campaigns.
Further research has demonstrated that by exploiting standard professional courtesies, operators were systematically extending their reach.
When targets declined event invitations, multiple times, as tracked as activity associated with UTA0355, they were urged to register for updates, to share contact details with colleagues who might be interested, and to share contact information with other colleagues who may have been interested as well.
At least one example involved an unwitting intermediary introducing a new target to the threat actor through an unwitting intermediary, which enabled the attackers to gather new leads organically.
In addition, domain registration data related to impersonated events revealed other infrastructure that may have been associated with the same cluster, according to WHOIS data for bsc2025[.]org, a domain resembling Belgrade Security Conference, which was registered using the address mailum[.]com, a relatively unknown e-mail service.
The Volexity investigation was expanded to identify other domains masquerading as the World Nuclear Exhibition scheduled for November 2025, including world-nuclear-exhibition-paris[.]com, wne-2025[.]com, and confirmyourflight-parisaeroport[.]com, that gave the impression that the World Nuclear Exhibition was being held in Paris.
In spite of the fact that researchers do not believe their domains were specifically utilized in confirmed attacks, they can assess that they might have assisted the campaign in its early stages.
Overall, these findings illustrate a shift in how advanced threat actors are increasingly relying on trusted identity frameworks in place of traditional malware and credential theft in order to carry out their attacks. It has been demonstrated that these campaigns reduce the likelihood of detection, increase user compliance, and decrease the likelihood of detection by weaponizing legitimate authentication flows and embedding them within credible professional interactions.
Organisations may have to deal with longer-term risks associated with persistent access in addition to immediate account compromise, data exposure, internal reconnaissance, and follow-up attacks resulting from persistent access. As a result, security teams are urged to revisit assumptions regarding "trusted" login mechanisms, to improve identity governance, and to ensure visibility into events that do not involve interactive interaction and that are based on a device.
An attack surface can be significantly reduced by taking proactive measures such as tightening OAuth permissions, auditing registered devices and applications, and stress testing Conditional Access policies. Moreover, leadership and security stakeholders need to be aware that modern phishing campaigns are increasingly modeled on legitimate business workflows, and that defense strategies must be complemented by context-aware user education in order to protect themselves.
A number of low-friction, high-impact attack techniques are being refined by attackers to gain a higher degree of sophistication, which makes it more challenging for organisations that treat this aspect of their operations as a core operational priority to stop intrusions before they become systemic breaches.
