Multiple Russian nation-state actors are targeting sensitive Microsoft 365 accounts via device code authentication phishing, a new analysis by Volexity has revealed.
The firm first observed this activity towards the end of January 2025, when the M365 account of one of its customers was successfully compromised in a highly targeted attack.
The technique is more effective at successfully compromising accounts than most other spear-phishing campaigns, according to the researchers.
In the campaign, the attackers impersonate individuals from government departments, including the US Department of State, and prominent research institutions. This is designed to socially engineer targets into providing a specific Microsoft device authentication code, allowing the attackers long-term access to the user’s account.
This tactic is designed to exfiltrate sensitive information from compromised organizations “that would be of interest to a Russian threat actor.”
Device code authentication is a method whereby users can sign into M365 services on devices that lack a full browser interface, like Internet-of-Things (IoT) devices, by using a code displayed on that device and then authenticating on another device, such as a phone.
Volexity assesses with medium confidence that at least one of the threat actors is CozyLarch, which overlaps with the notorious Midnight Blizzard gang. The remaining activity is being tracked under UTA0304 and UTA0307.
Most of the observed attacks originated via spear-phishing emails using a variety of themes. However, one case began with outreach via messaging service Signal.
All of them resulted in the attacker inviting the targeted user to a virtual meeting, access apps and data as an external M365 user or join a chatroom on a secure chat application.
How the Device Code Phishing Attacks Work
In the first incident investigated by Volexity, the victim was contacted on Signal by an individual claiming to be from the Ukrainian Ministry of Defence. The threat actor then requested the victim move off Signal to another secure chat application called Element.
After joining an attacker-controlled Element server controlled by the attacker, the victim was informed they needed to click on a link from an email to join a secure chat room.
The email came from someone with the name of the high-ranking official from the Ukrainian Ministry of Defence.
It was structured to look like a meeting invite for a chatroom on the messaging application, Element.
However, all the hyperlinks in the email were instead linked to the page used for the Microsoft Device Code authentication workflow, taking users to a dialogue box. Once a user entered their specific code into this dialogue, the attackers could then capture the code and gain long-term access to the user’s account.
The generated Device Codes are only valid for 15 minutes once they are created, meaning the victim needed to access the page and input the code quickly after receiving the email.
“As a result, the real-time communication with the victim, and having them expect the “invitation”, served to ensure the phish would succeed through timely coordination,” the researchers explained.
The researchers also observed multiple Russian spear-phishing campaigns in early February 2025, which targeted users with fake Microsoft invitations purporting to be from the US Department of State.
Similarly to the first campaign, the emails aimed to convince the user to accept an invitation for a conference call, with the links directing them to the Microsoft Device Code authentication page.
However, unlike the previous attack, the email was sent out of the blue without any build up or precursor. This means the attempt was less likely to work as the target would have needed to click on the link and input the code within 15 minutes of receiving the email.
Several other similar attacks have been observed by Volexity using fake invitations to various video platforms and chatrooms. These included the impersonation of a member of the European Parliament who is on the Committee on Foreign Affairs requesting a Microsoft Teams meeting to discuss Donald Trump and his impact on relations between the US and the European Union.
Many of these started a conversation prior to sending the link to the Microsoft Device Code authentication page to increase the chances of the target entering the generated code quickly.
In one case, a different device code phishing technique was used. Rather than the email link taking the target to the Microsoft Device Code authentication page, they were instead taken to a website controlled by UTA0307. This page was designed to appear as an official Microsoft interstitial page before the user can join a Microsoft Teams meeting, and was set up to automatically generate a new Microsoft Device Code each time it was visited.
The message on the landing page claimed that the victim needed to pass a security check by copying a code and entering it on a subsequent page. When this supplied code is inputted, it provides the attackers with access to the victim’s M365 account.
Targeting Device Codes Proving Highly Successful
While device code authentication attacks are not new, they have rarely been utilized by nation-state actors, the researchers noted.
The technique is particularly effective, largely because the phishing URLs are on legitimate Microsoft domains, making them recognizable to users.
The attackers also used Proxy IP addresses based in the US to distribute emails, making them appear as though they came from legitimate sources.
“This particular method has been far more effective than the combined effort of years of other social-engineering and spear-phishing attacks conducted by the same (or similar) threat actors,” the researchers wrote.
Volexity said the most effective way of mitigating this attack vector is through conditional access policies on an organization’s M365 tenant. This is relatively simple to set up.
However, they are often not implemented as most organizations are not aware of this authentication flow or its capacity to be abused.