Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts

Cybersecurity researchers at Volexity have uncovered a series of targeted phishing and social engineering campaigns by multiple Russian threat actors aimed at compromising Microsoft 365 (M365) accounts through Device Code Authentication attacks. These campaigns, active since mid-January 2025, are part of a broader espionage effort targeting organizations in the United States, European Union, and Ukraine.

“Device Code Authentication phishing follows an atypical workflow to that expected by users, meaning users may not recognize it as phishing,” Volexity explains. The attackers exploit this lesser-known authentication method to steal login credentials and bypass multi-factor authentication (MFA), gaining long-term access to high-value accounts.

Device Code Authentication is a legitimate Microsoft feature designed to allow users to log into their M365 accounts on input-constrained devices, such as smart TVs, IoT devices, and printers. Attackers abuse this mechanism by tricking victims into entering a malicious authentication code, granting them direct access to their M365 accounts.

Volexity identified three distinct Russian cyber espionage groups using this technique:

• CozyLarch (linked to APT29, Midnight Blizzard, CozyDuke, DarkHalo)
• UTA0304
• UTA0307

“While this attack method is not new, it is one that is definitely lesser known and not commonly leveraged by nation-state actors,” Volexity states.

The attack campaigns were conducted using highly targeted spear-phishing emails and social engineering tactics. Volexity observed Russian hackers impersonating officials from:

• United States Department of State
• Ukrainian Ministry of Defence
• European Union Parliament
• Prominent research institutions

These fake personas were used to lure victims into:

• Microsoft Teams Meetings / Video Conferences
• Accessing M365 applications and data as an external user
• Joining a “secure” chatroom on Element, a messaging app

One case involved an initial approach on Signal, where a fake Ukrainian Ministry of Defence representative convinced a target to move to Element. The attacker then shared a malicious meeting invitation via email, tricking the victim into entering their credentials on the Microsoft Device Code Authentication page.

Volexity describes this as a real-time phishing attack, where the attackers ensure victims enter the code within 15 minutes, the time limit before an authentication code expires.

In early February 2025, Volexity observed a separate phishing campaign by CozyLarch (APT29 / Midnight Blizzard) impersonating the U.S. Department of State. This attack involved:

• Fake M365 invitations sent to users, prompting them to join a U.S. State Department tenant.
• Bogus Microsoft Teams invitations labeled “Measuring Influence Operations”, making them appear as intelligence briefings.

“Each email was aimed at convincing the user to accept the invitation and enter a unique code provided in the phishing email,” Volexity explains.

Unlike other campaigns, CozyLarch used a Microsoft redirect URL (www.microsoft.com/devicelogin) instead of linking directly to the authentication page. This tactic made the phishing attempt appear even more legitimate to unsuspecting victims.

Starting in late January 2025, Volexity observed another campaign by UTA0307, a Russian threat actor targeting high-profile individuals with politically themed lures. Attackers posed as a European Parliament member and sent emails requesting a Microsoft Teams meeting to discuss former U.S. President Donald Trump’s foreign policy impact.

These phishing emails carried subject lines such as:

• “Trump and EU”
• “Discussion about Trump’s new term”
• “Discussion on Eastern Europe and the Caucasus”
• “Collaboration on China and East Asia Research”

Unlike previous campaigns, UTA0307 embedded a fake Microsoft Teams invite link, which led to an attacker-controlled website that generated new authentication codes in real time.

“This page was set up to automatically generate a new Microsoft Device Code each time it was visited,” Volexity notes. This method ensured that authentication codes remained valid, increasing the chances of a successful phishing attack.

Volexity advises organizations to “evaluate the use of Device Code Authentication in their environment“, as disabling it could impact legitimate workflows. However, for organizations not actively using it, blocking this feature is a crucial defense against these attacks.

Related Posts:

• CVE-2023-28936 allows attacker to access any arbitrary recording or room in Apache OpenMeetings
• Volexity: Indian APT hacker organization Patchwork target US think tanks
• Over 2,100 Ivanti VPNs Compromised: The GIFTEDVISITOR Webshell Threat
• Linux Malware DISGOMOJI Targets Indian Officials
• Zero-Day Vulnerability in FortiClient Exploited by BrazenBamboo APT