Russian nation-state actors are conducting a sophisticated device code phishing campaign targeting Microsoft 365 (M365) accounts through social engineering and spear-phishing tactics to obtain device authentication codes for long-term account access. The campaign comes as Microsoft implements mandatory multi-factor authentication (MFA) across its enterprise platforms to strengthen security.
The attack methodology uses device code authentication, a legitimate feature designed for signing into M365 services on devices without full browser interfaces. The process typically involves generating a numeric or alphanumeric code on one device and authenticating it on another. The technique bypasses traditional security measures, including Microsoft’s recent push toward passkey authentication.
The campaign specifically targets sensitive M365 accounts across multiple sectors, including government, IT, defense, telecommunications, healthcare, education, and energy. The operation has also focused on NGOs throughout Africa, Europe, the Middle East, and North America. The widespread targeting corresponds with recent CISA directives requiring enhanced cloud security measures for federal agencies using Microsoft 365.
Attackers employ sophisticated social engineering by impersonating government officials, particularly from the US Department of State, and representatives from prominent research institutions. Their phishing emails frequently contain fabricated Microsoft Teams meeting invitations or other seemingly legitimate requests designed to facilitate device code authentication.
The technique has proven particularly effective due to its time-sensitive nature, as the generated device codes remain valid for only 15 minutes. The short window creates urgency for targets to respond quickly to the authentication requests, exploiting a common vulnerability in human behavior that security experts have long identified as a key factor in successful phishing attacks.
Security researchers have identified multiple threat actors involved in the campaign. Volexity attributes some activity to CozyLarch, which shares overlap with the Midnight Blizzard group, while tracking other operations under designations UTA0304 and UTA0307. Microsoft has linked the campaign to a Russia-associated threat actor known as Storm-2372.
Once successful, the attackers can use the obtained tokens to access email and cloud storage services without requiring passwords, maintaining persistent access while the tokens remain valid. The attack vector is particularly concerning as organizations increasingly rely on cloud-based services and unified endpoint management solutions for their enterprise operations. The campaign has recently incorporated politically themed messages, particularly focusing on the new administration in the United States and its potential global implications.
Sources: Infosecurity Magazine, Security Week, Volexity
Follow Us