The threat involves a sophisticated phishing campaign attributed to a Russia-aligned group tracked as UNK_AcademicFlare, active since September 2025. The attackers exploit Microsoft 365's device code authentication flow, a method designed to allow users to authenticate devices without entering passwords directly on the device. The campaign begins with the use of compromised email addresses from government and military organizations to establish credibility and initiate benign communications related to the target's expertise. The adversaries then send a link to a Cloudflare Worker URL mimicking the compromised sender's OneDrive account, instructing victims to copy a device code and proceed to a legitimate Microsoft device code login page. When victims enter the code, Microsoft generates an access token that the attackers intercept, enabling them to take over the victim's Microsoft 365 account. This method bypasses traditional phishing detection since the login page is legitimate and does not require password entry. The campaign targets entities in government, think tanks, higher education, and transportation sectors in the U.S. and Europe, with a focus on Russia-related specialists and Ukrainian government and energy sectors. The attackers use crimeware kits like Graphish and tools such as SquarePhish to automate and simplify the phishing process, enabling even low-skilled actors to conduct these attacks. The ultimate objective is to steal credentials, perform account takeovers, and gain unauthorized access to sensitive data for espionage or further exploitation. Mitigation strategies recommended include creating Conditional Access policies to block device code authentication flows or restrict them to approved users, IP ranges, or operating systems, thereby reducing the attack surface.

For European organizations, especially those in government, military, think tanks, higher education, and transportation sectors, this threat poses a significant risk of unauthorized access to sensitive and classified information. Successful account takeovers can lead to data breaches, espionage, disruption of critical infrastructure, and loss of intellectual property. The use of legitimate Microsoft authentication flows makes detection difficult, increasing the likelihood of successful compromise. The targeting of Russia-focused specialists and Ukrainian government and energy sectors indicates a geopolitical motive, potentially escalating the impact on European national security and critical energy infrastructure. Additionally, compromised accounts can be used to launch further attacks within organizations or against third parties, amplifying the threat. The ease of use of crimeware kits lowers the barrier for attackers, potentially increasing the volume and frequency of attacks against European targets. Overall, the threat undermines trust in cloud-based collaboration platforms and could disrupt governmental and critical sector operations.

European organizations should implement strict Conditional Access policies within Microsoft 365 environments to block or tightly control device code authentication flows. Specifically, administrators should: 1) Block device code authentication for all users if possible; 2) If blocking is not feasible, create allow-list policies restricting device code authentication to trusted users, devices, IP ranges, or operating systems; 3) Educate users about the risks of device code phishing, emphasizing caution when receiving unexpected links or requests to enter device codes; 4) Monitor for unusual authentication patterns or token issuance related to device code flows; 5) Employ multi-factor authentication methods that are resistant to token theft, such as hardware security keys; 6) Regularly audit and revoke suspicious or unauthorized access tokens; 7) Use advanced threat protection tools capable of detecting phishing attempts and anomalous login behaviors; 8) Collaborate with threat intelligence providers to stay updated on emerging tactics and indicators of compromise related to device code phishing; 9) Harden email security by implementing DMARC, DKIM, and SPF to reduce email spoofing; 10) Conduct phishing simulation exercises tailored to device code phishing scenarios to raise user awareness.