Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Russian threat actors are conducting politically themed phishing campaigns targeting Microsoft 365 accounts via Device Code Authentication. Volexity identifies three distinct groups, emphasizing the need for increased awareness of these tactics.
Read original article
Volexity has reported that multiple Russian threat actors are conducting social-engineering and spear-phishing campaigns aimed at compromising Microsoft 365 accounts through Device Code Authentication phishing. This method, which is less recognized by users, has been particularly effective in recent attacks that began in mid-January 2025. The campaigns have been politically themed, often impersonating officials from the U.S. Department of State, the Ukrainian Ministry of Defence, and the European Union Parliament. Attackers typically invite targets to join Microsoft Teams meetings or access applications as external users, using tailored emails that lead to the Microsoft Device Code authentication page. Volexity has identified at least three distinct threat actors, including CozyLarch, UTA0304, and UTA0307, with CozyLarch linked to campaigns impersonating the U.S. Department of State. The phishing emails often contain links that redirect users to the Device Code authentication page, where entering a code grants attackers long-term access to the accounts. Volexity's investigations revealed that these attacks often involved real-time communication with victims to ensure timely execution of the phishing attempts. The report emphasizes the need for heightened awareness regarding these sophisticated phishing techniques, particularly as they exploit current political events to enhance their effectiveness.
- Russian threat actors are targeting Microsoft 365 accounts through Device Code Authentication phishing.
- Campaigns have been politically themed, impersonating officials from various organizations.
- Volexity tracks at least three distinct threat actors involved in these campaigns.
- The phishing method is effective due to its atypical workflow, making it less recognizable to users.
- Real-time communication with victims is used to increase the success rate of the attacks.
Related
Microsoft creates fake Azure tenants to pull phishers into honeypots
Microsoft is using fake Azure tenants as honeypots to gather intelligence on phishing actors, disrupting operations and enhancing security by monitoring tactics used by cybercriminals over extended periods.
Microsoft creates fake Azure tenants to pull phishers into honeypots
Microsoft is using realistic honeypot Azure tenants to attract and monitor phishing attackers, collecting intelligence on their methods to enhance cybersecurity and disrupt phishing campaigns effectively.
Russian spies use remote desktop protocol files in unusual mass phishing drive
Microsoft reported a mass phishing campaign by the Russian SVR's Midnight Blizzard group, targeting various organizations with RDP file attachments in emails, potentially exposing sensitive data and enabling malware installation.
Windows Zero-Day Exploited by Russia Triggered with File Drag-and-Drop, Delete
A newly discovered Windows zero-day vulnerability (CVE-2024-43451) has been exploited by Russian threat actors, targeting Ukrainian entities through phishing, allowing NTLMv2 hash theft with minimal user interaction.
Russia takes unusual route to hack Starlink-connected devices in Ukraine
Russian hackers, known as Secret Blizzard, are targeting Starlink-connected devices used by Ukrainian forces, employing spear phishing and malware from other groups to enhance their cyber operations.
9 commentsIf I login from my computer and a few hours later an attacker logs in from the other side of the planet, most big providers will trigger extra checks/email notifications of unusual events.
I wonder if intentionally using Tor/VPS is a way to bypass those checks, since a Tor/VPS can have a far away geo-IP.
The Era of Login/Password Security was much more secure anyway, dunno why we regressed to this. Because printer needs your microsoft account now?
Disabling device authentication (which is rarely needed anyway) and forcing Microsoft Authenticator (with the yes-this-is-really-me number entry thing) or something like a Yubikey should make your org like 99% less vulnerable. If you're not on a Microsoft-or-similar platform (good for you!), one word of advice: passkeys.
As for the inevitable "who would fall for this" question: prior to 2017, when Google instituted a strict 2FA policy, even members of their elite security team were successfully phished. After that, not so much: https://krebsonsecurity.com/2018/07/google-security-keys-neu...
What kind of bright mind would consider not moving unsolicited emails like these straight to a dust bin?
Related
Microsoft creates fake Azure tenants to pull phishers into honeypots
Microsoft is using fake Azure tenants as honeypots to gather intelligence on phishing actors, disrupting operations and enhancing security by monitoring tactics used by cybercriminals over extended periods.
Microsoft creates fake Azure tenants to pull phishers into honeypots
Microsoft is using realistic honeypot Azure tenants to attract and monitor phishing attackers, collecting intelligence on their methods to enhance cybersecurity and disrupt phishing campaigns effectively.
Russian spies use remote desktop protocol files in unusual mass phishing drive
Microsoft reported a mass phishing campaign by the Russian SVR's Midnight Blizzard group, targeting various organizations with RDP file attachments in emails, potentially exposing sensitive data and enabling malware installation.
Windows Zero-Day Exploited by Russia Triggered with File Drag-and-Drop, Delete
A newly discovered Windows zero-day vulnerability (CVE-2024-43451) has been exploited by Russian threat actors, targeting Ukrainian entities through phishing, allowing NTLMv2 hash theft with minimal user interaction.
Russia takes unusual route to hack Starlink-connected devices in Ukraine
Russian hackers, known as Secret Blizzard, are targeting Starlink-connected devices used by Ukrainian forces, employing spear phishing and malware from other groups to enhance their cyber operations.