Introduction
Since at least August 2024 [7], multiple Russian nation-state actors [1] [3] [4] [6] [7] [8] [10], including the suspected group Storm-2372, have been engaged in a sophisticated spear-phishing campaign targeting Microsoft 365 (M365) accounts. These actors impersonate officials from various high-profile organizations, employing device code phishing techniques to gain unauthorized access to sensitive information. This campaign has significant implications for critical infrastructure across multiple sectors globally.
Description
Multiple Russian nation-state actors [1] [3] [4] [6] [7] [8] [10], including a suspected group known as Storm-2372, have been conducting a sustained spear-phishing campaign targeting Microsoft 365 (M365) accounts since at least August 2024. These actors [1] [2] [4], assessed to be aligned with Russian interests [2], are impersonating officials from the US Department of State [1] [4] [7], the Ukrainian Ministry of Defence [1] [4] [7] [10], the European Union Parliament [1] [4] [10], and notable research institutions [1] [4] [8] [9], utilizing a technique known as device code phishing [2] [3] [4]. This method exploits the device code flow authentication outlined in the OAuth standard [3], which is typically used for devices lacking full browser support [3], such as printers and smart TVs [3]. By deceiving users into granting access through this workflow, attackers capture authentication tokens that allow for persistent access to targeted accounts and associated data and services.
These activities [6] [8] [10], first observed in late January 2025 [8] [10], have targeted critical infrastructure organizations [6], including governments and non-governmental entities in the IT [11], telecom [6], health [6], higher education [6], and energy sectors across Europe [6], North America [6], Africa [6], and the Middle East [6]. The campaign has been linked to Russian threat groups, including CozyLarch (APT29), UTA0304 [1] [2] [6] [7] [10], and UTA0307 [1] [2] [6] [7] [10], which have been engaging in similar phishing activities. Researchers note the possibility that these campaigns may be orchestrated by a single threat actor operating under different identities [2], as they are being tracked separately due to variations in their tactics [2].
Attackers often initiate contact through messaging platforms like Signal, WhatsApp [3] [6] [7], and Microsoft Teams [1] [2] [3] [6] [7] [11], sending fake meeting invitations that lead victims to a fraudulent Microsoft login page [7]. In one incident [10], a victim was contacted by someone posing as a Ukrainian Ministry of Defence official [10], which led them to a fake meeting invite directing them to the Microsoft Device Code authentication page [10]. Users inadvertently authenticate an attacker-controlled session [7], allowing the threat actors to establish rapport and invite them to join Microsoft Teams meetings or access applications as external M365 users. When the target accesses the link and enters the device code [3], the attackers gain prolonged access to the user’s account [3], facilitating lateral movement within compromised networks [6].
Various communication methods are employed, including phishing emails disguised as Microsoft Teams meeting invitations [2] [6], to deceive targets into providing a Microsoft device authentication code [8]. This code, when entered along with the user’s credentials, grants long-term access to the user’s account [8] [10]. Once inside [11], the threat actors search through emails for specific keywords and exfiltrate sensitive documents [11], indicating that their objectives align with Russian interests [1]. Volexity has identified exfiltration of documents from compromised M365 accounts [1], further underscoring the attackers’ objectives. Specific tactics employed by these groups include UTA0304 creating a fake secure chat platform and CozyLarch sending fraudulent invitations to US State Department meetings [7].
One notable campaign involved fake invitations from the US Department of State [1] [10], leveraging a device code OAuth phishing workflow that created a sense of urgency, prompting users to act quickly to enter the code [1]. Another campaign [1] [2], tracked as UTA0307 [1] [10], involved impersonating a member of the European Parliament and soliciting discussions on topics related to Donald Trump [1], US-EU relations [1], and China’s foreign policy [1]. Volexity assesses with high confidence that at least one of the threat actors involved is CozyLarch [8] [10], which is associated with the Midnight Blizzard gang [8] [10], along with other tracked activities under the names UTA0304 and UTA0307.
The effectiveness of device code authentication attacks has prompted these actors to exploit this technique, as it has proven to be more effective than traditional spear-phishing methods [1] [9], especially before potential countermeasures can be implemented by targets [1]. Volexity’s CEO [3], Steven Adair [3], noted that while device code authentication attacks are not new [3], they have been utilized more effectively by nation-state actors compared to previous social engineering tactics [5]. The success of these attacks is attributed to the confusing user interface of the device code authorization process [3], highlighting the need for users to be vigilant about links and the pages they lead to [3]. Microsoft Azure prompts users to verify the app they are signing into [3], and users should be cautious of messages that lack this confirmation option [3]. All attacks have led to the attacker inviting the targeted user to a virtual meeting [8], accessing applications and data as an external M365 user [8], or joining a secure chatroom [8].
Additionally, attackers have enhanced the legitimacy of their phishing attempts by utilizing Proxy IP addresses based in the US and ensuring that phishing URLs appear on legitimate Microsoft domains. This strategy increases the likelihood of success, as users may be more inclined to trust communications that seem to originate from recognized sources. To mitigate these attacks [10], Volexity recommends implementing conditional access policies on an organization’s M365 tenant [10], which are often overlooked due to a lack of awareness regarding this authentication flow and its potential for abuse [10].
Conclusion
The ongoing spear-phishing campaign by Russian nation-state actors poses a significant threat to global critical infrastructure. The use of device code phishing techniques has proven highly effective, necessitating increased vigilance and awareness among users. Organizations are advised to implement robust security measures, such as conditional access policies, to mitigate these threats [10]. As attackers continue to refine their methods, it is crucial for both individuals and organizations to remain informed and proactive in safeguarding their digital assets.
References
[1] https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
[2] https://tech-wire.in/technology/cyber-security/microsoft-russian-linked-hackers-using-device-code-phishing-to-hijack-accounts/
[3] https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/
[4] https://thecyberwire.com/newsletters/daily-briefing/14/30
[5] https://cyber.vumetric.com/security-news/2025/02/14/threat-actors-are-using-legitimate-microsoft-feature-to-compromise-m365-accounts/
[6] https://cyberscoop.com/russia-threat-groups-device-code-phishing-microsoft-accounts/
[7] https://cyberinsider.com/hackers-use-device-code-phishing-to-hijack-microsoft-365-accounts/
[8] https://www.infosecurity-magazine.com/news/russian-microsoft-device-code/
[9] https://www.newsminimalist.com/articles/russian-hackers-exploit-microsoft-365-accounts-using-new-phishing-technique-62031de5
[10] https://osintcorp.net/russian-hackers-target-microsoft-365-accounts-with-device-code-attacks/
[11] https://www.helpnetsecurity.com/2025/02/14/microsoft-device-code-authentication-phishing-m365-account-compromise/
