# **Russian Spies Utilize Device Code Phishing to Take Over Microsoft 365 Accounts**
## **Introduction**
Cybersecurity experts have identified a complex phishing initiative led by Russian state-backed hackers. This operation employs a relatively obscure tactic known as **device code phishing** to infiltrate Microsoft 365 accounts. The attack, which has been active since at least August, specifically targets notable organizations, such as government entities and research institutions.
## **Understanding Device Code Phishing**
Device code phishing takes advantage of a valid authentication method referred to as **device code flow**, which is integral to the **OAuth standard**. This authentication mechanism is intended for devices such as **smart TVs, printers, and IoT gadgets** that do not have conventional web browsers. Instead of entering usernames and passwords directly, users authenticate these devices by:
1. Receiving an **alphanumeric device code** and a login link.
2. Inputting the code on a different device that is browser-enabled.
3. The system subsequently allows access to the requesting device.
While this approach is user-friendly for legitimate individuals, **malicious actors have discovered how to exploit it**.
## **How the Attack Operates**
As reported by security firms **Volexity** and **Microsoft**, Russian hackers have been leveraging this method to **circumvent multi-factor authentication (MFA)** and secure unauthorized entry into Microsoft 365 accounts. The attack unfolds in the following manner:
1. **Impersonation** – Cybercriminals mimic trusted officials or organizations through messaging apps like **Signal, WhatsApp, and Microsoft Teams**.
2. **Social Engineering** – They interact with targets, cultivating trust before asking them to participate in a **Microsoft Teams meeting** or a secure chat.
3. **Phishing Link** – The assailant provides a **device authorization link** along with a **code**.
4. **User Action** – If the victim inputs the code on their browser-enabled device, the attacker gains entry to their Microsoft 365 account.
5. **Persistent Access** – The attacker remains logged in as long as the authentication tokens are valid.
## **Targeted Organizations**
The campaign has primarily directed its efforts toward **government agencies, research institutions, and international organizations**, including:
– **United States Department of State**
– **Ukrainian Ministry of Defence**
– **European Union Parliament**
– **Notable research institutions**
## **Why This Attack Works Effectively**
Unlike traditional phishing schemes that depend on counterfeit login pages, **device code phishing does not necessitate that victims input their credentials**. Instead, it capitalizes on the trust users have in the **OAuth authentication process**. Furthermore, the attack proves challenging to identify because:
– **It bypasses MFA** – Since the victim is the one entering the code, MFA safeguards are ineffective.
– **It seems legitimate** – The login procedure resembles a standard Microsoft authentication request.
– **It is infrequently employed in cyberattacks** – Numerous organizations remain unaware of this technique, rendering them more susceptible.
## **How to Safeguard Against Device Code Phishing**
To reduce the threat of device code phishing, organizations and individuals should adhere to these security best practices:
1. **Verify Authentication Requests**
– Always scrutinize the **source of login requests** prior to entering a device code.
– Confirm that the **Microsoft Azure prompt** accurately identifies the anticipated application.
2. **Enable Conditional Access Policies**
– Limit device code authentication to **trusted devices and networks**.
– Implement **geofencing** to prohibit logins from dubious locations.
3. **Educate Employees and Users**
– Provide **security awareness training** focused on phishing techniques.
– Motivate users to **report suspicious login requests**.
4. **Monitor and Audit Logins**
– Regularly assess **Microsoft 365 login activity** for odd access patterns.
– Employ **security tools** to identify unauthorized logins.
5. **Implement Additional Security Measures**
– Utilize **hardware security keys** for authentication.
– Disable **device code authentication** if it is unnecessary.
## **Conclusion**
The **device code phishing scheme** attributed to Russian hackers underscores the shifting landscape of cyber threats. By taking advantage of a legitimate authentication process, attackers can **evade conventional security measures** and unlawfully access sensitive accounts. Organizations must **remain alert, inform employees, and establish robust security controls** to protect against this emerging threat.
For further information, consult the official reports from **[Microsoft](https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/)** and **[Volexity](https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/)**.
