Security researchers at Volexity have uncovered multiple Russian threat actors conducting sophisticated social engineering and spear-phishing campaigns targeting Microsoft 365 accounts through Device Code Authentication exploitation.<\/p>\n
The attacks, observed since mid-January 2025, involve three distinct groups: \u201cCozyLarch (APT29),\u201d \u201cUTA0304,\u201d and \u201cUTA0307.\u201d<\/p>\n
The threat actors impersonate officials from organizations like the US Department of State, Ukrainian Ministry of Defence, and European Parliament to lure victims into authenticating through Microsoft\u2019s Device Code workflow.<\/p>\n
While the security analysts at Volexity detected<\/a> that this legitimate feature, typically used for IoT devices and smart TVs, is being weaponized to gain unauthorized access to M365 accounts.<\/p>\n The attack works by directing victims to legitimate Microsoft URLs:-<\/p>\n When successful, the authentication appears in Entra ID logs with these distinctive markers:-<\/p>\n The attackers use various client IDs, with UTA0307 specifically utilizing Microsoft Teams<\/a>\u2018:<\/p>\n In one notable campaign, UTA0304 used a custom Element server (sen-comms[.]com) to coordinate real-time communication with victims, ensuring they entered the device code within the 15-minute validity window.<\/p>\n The attackers then used VPS, Tor, and Mullvad VPN<\/a> exit nodes to access compromised accounts.<\/p>\n Organizations can protect themselves by implementing conditional access policies to block Device Code Authentication.<\/p>\n Monitoring for deviceCode authentication protocol<\/a> in sign-in logs is crucial for detection. The campaigns have proven highly effective, surpassing traditional phishing methods\u2019 success rates.<\/p>\n This is partly since the attacks leverage legitimate Microsoft infrastructure, making them harder to detect through conventional security measures.<\/p>\n Organizations are advised to evaluate their Device Code Authentication usage and implement appropriate monitoring and blocking measures<\/a>.<\/p>\n User awareness training should be updated to include this attack vector, as the workflow differs significantly from typical phishing attempts.<\/p>\n Key domains associated with UTA0304 include:-<\/p>\n The post Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAttack Chain<\/strong><\/h2>\n
\n
\"authenticationProtocol\": \"deviceCode\"\n\"originalTransferMethod\": \"deviceCodeFlow\"<\/code><\/pre>\n\"appDisplayName\": \"Microsoft Teams\",\n\"appId\": \"1fec8e78-bce4-4aaf-ab1b-5451cc387264\"<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjuh3m-EMCj0aGkj78bXbMFTV09P_D2ylmcxej8kQdH1Ce4q0XXVnd_p4KMcYfWPsmAcdbphyphenhyphenhLSdTkx-tPFA8Xx9auJT0-xI2nOaVQLjmAe-0osNF2p04q40WZyZfHWwGfRJ2IQTHUuHVySS70YqzOf6UnLsG6ppyJjGP8vLmDgFpM18rYdGQ5jBN5luU\/s16000\/Device%2520Code%2520Authentication%2520%28Source%2520-%2520Volexity%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgyiWiqDS-7a7Tb8KJUnFTFjTjtwFQCmHIb9iT6q8u7nkYl6rYLfSgD-6kZtWcZ-8mmY0ErNUwlBSxlWD_-tym-IfoiQdEJscf6z-wEKZCSlV6-hFvV7Ud877A5rvv7DG_sXGyYKokwdRMa8-Req4AkOdA0H4wcQbTH89V_S_7SMBXrrCLJDbxl4b-QfvQ\/s16000\/Attack%2520flow%2520%28Source%2520-%2520Volexity%29.webp?ssl=1\")
IOCs<\/strong><\/h2>\n
\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n