• Posted by: Eng. Donya Bino
• December 21, 2025

UNK_AcademicFlare: Device Code Phishing Targets Microsoft 365

Proofpoint's Security Researchers identified UNK_AcademicFlare, a cybercriminal/actor operating out of Russia that has been running targeted phishing campaigns aimed at obtaining Microsoft 365 account credentials since September 2025. The UNK_AcademicFlare group mainly focuses on targeting government agencies and contractors, as well as academic institutions, but has also been targeting organizations in transportation within the U.S. and Europe.

What was unique about this campaign was that the scams were conducted using device code authentication flows instead of using the "traditional" username and password prompt. Attackers used this method to generate access tokens that could be intercepted by them. The attackers used accounts from compromised email accounts belonging to government and military organizations to reach out to prospective victims, sending out emails that appeared harmless and appeared to build a relationship or schedule a fake meeting with prospective candidates who would be relevant to each victim's professional expertise.

Victims receive a link using a Cloudflare-hosted Worker URL that mimics the OneDrive account of the email sender. The page contains instructions telling the user to copy and paste the code and click "Next" in order to view the file. When the victim clicks "Next," they will be redirected to the legitimate Microsoft device code authentication/login page. Once the victim enters their code into the login page, they create an access token for Microsoft, effectively giving the attacker full control over the victim’s Microsoft account.

Microsoft published an article on Device Code Phishing in February in collaboration with Volexity. Within this article, Microsoft associated Device Code Phishing with multiple groups located in Russia and determined that groups such as Storm-2372, APT29, UTA0304 and UTA0307 were connected to this type of phishing technique.

According to Proofpoint's report, UNK_AcademicFlare is another actor using Device Code Phishing in a manner similarly beneficial to Russian interests. Proofpoint believes that UNK_AcademicFlare is primarily targeting see a specialist to assist Government as well as the energy industry with their agreements and economic issues detailed within governed entities. 

A financially-motivated group, TA2723, has adopted Device Code Phishing tactics for financial gain using salary compensation lures to guide users to phishing pages that generate devices code confirmation authorization. The September 2025 operations conducted by this group were supported through the availability of easy-to-use phishing kits and red team tools such as Graphish and SquarePhish to conduct these sorts of sophisticated attacks effectively at an access level for less skilled actors.

Recommendations to mitigate device code phishing incidents include the following:
1. Wherever possible, create a Conditional Access policy that completely blocks device code authentication for all users.
2. Where it is not possible to completely block device code authentication, then implement an allow list approach where only users, operating systems, or IP addresses that have been approved may use the device code flow.
3. Train users to recognize unexpected device code requests especially those that are received in messages that appear to be sent from trusted sources.

By knowing how device code phishing works and implementing the protection recommendations provided in this document, organizations can dramatically decrease their chances of being a victim of credential theft and account takeover.

Source: The Hacker News