Russian APTs Exploiting Microsoft Device Code Authentication

Summary

Cyble Research Intelligence Labs (CRIL) came across an interesting finding by Volexity regarding Russian threat actors conducting highly targeted social engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method deviates from typical phishing techniques, making it harder for users to recognize. Recent attacks, observed since mid-January 2025, have been politically themed, focusing on the global implications of the new U.S. administration. Attackers impersonated officials from organizations such as the U.S. State Department, the Ukrainian Ministry of Defence, and the EU Parliament to deceive targets into joining fake Microsoft Teams meetings, accessing M365 data, or engaging in secure chatrooms. Once access was gained, attackers used different post-exploitation methods, including varying infrastructure and tools, but all relied on Device Code Authentication. These attacks are attributed to multiple Russia-based threat groups, including one linked to CozyLarch (Midnight Blizzard, CozyDuke). While some overlap exists, distinct operational differences suggest they may be separate groups. Device Code Authentication phishing has proven more effective than traditional spear phishing, marking a significant evolution in cyber threats.

Techinal Details

The attack was first identified in late January 2025 when an M365 account was compromised through a phishing attack. The victim received an email that appeared to be from a high-ranking official of the Ukrainian Ministry of Defence, inviting them to join a secure chat on “Element”, an encrypted messaging platform. However, the links in the email led to Microsoft's Device Code authentication page, a legitimate Microsoft feature typically used for login on smart TVs and IoT devices. Once the victim entered the code on the Microsoft login page, the attacker gained long-term access to the account. The authentication and subsequent file downloads came from VPS and Tor exit nodes, with access scripts using Python requests (python-requests/2.25.1).

Real-Time Social Engineering for Attack Success

Before the phishing email, the attacker initially contacted the victim via Signal, posing as an official from the Ukrainian Ministry of Defence. The conversation was then shifted to Element, where the victim was tricked into clicking the malicious Microsoft login link. The real-time interaction ensured that the victim entered the authentication code within the 15-minute validity period, making the attack highly effective.

Infrastructure Used by UTA0304
This attack was linked to a Russian threat actor, UTA0304, which used multiple domains to host its phishing campaigns. Through domain analysis, researchers identified a list of IPs and domains associated with UTA0304, such as:
• sen-comms[.]com (High confidence)
• comms-net[.]com (High confidence)
• afpi-sec[.]com (Medium confidence)
• chromeelevationservice[.]com (Medium confidence)

Spear-Phishing Campaign Targeting US Department of State
A similar attack was later observed targeting the United States Department of State. The emails pretended to be official Microsoft invitations, requesting users to join a Microsoft Teams chat or access the US Department of State’s M365 tenant. If a user entered the phishing code, attackers were granted full access to their Microsoft 365 account. Unlike the UTA0304 campaign, this attack was not preceded by direct communication with the target, reducing its success rate. The campaign was attributed to CozyLarch (APT29/Midnight Blizzard), a known Russian state-sponsored hacking group.and anti-detection mechanisms highlight the growing sophistication of modern phishing kits, further complicating efforts to defend against these evolving threats.

UTA0307’s European Parliament Phishing Campaign
A separate Russian threat actor, UTA0307, launched another phishing operation targeting members of the European Parliament. The attackers impersonated a European Parliament official and invited victims to Microsoft Teams meetings discussing Donald Trump’s impact on EU relations or China’s foreign policy. Unlike previous campaigns, this attack used a fake Microsoft Teams invitation that directed users to a phishing site (connect-71q.pages[.]dev). This site automatically generated new Microsoft Device Codes for each visitor, ensuring that an active and valid authentication code was always available for immediate use by the attacker.

UTA0307 accessed and extracted documents from a compromised M365 account, indicating potential interest from a Russian threat actor. The attack method closely resembled those used by CozyLarch and UTA0304, suggesting a connection to previous campaigns. However, some

differences suggest it may be a separate actor. Unlike previous campaigns that used the Microsoft Office client ID for Device Code Authentication, this attack leveraged the Microsoft Teams client ID. Additionally, while earlier breaches used VPS and Tor IPs, UTA0307 relied on Mullvad VPN exit nodes for account access. Due to these distinctions, this activity is tracked separately under the UTA0307 alias.

Conclusion

Recent spear-phishing campaigns have effectively exploited Device Code Authentication, a method often overlooked by organizations. Threat actors, likely linked to Russia, are leveraging this approach to bypass traditional detection mechanisms and gain unauthorized access. Organizations must recognize the risks of such attacks and implement proactive security measures to mitigate them.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Disable or limit Device Code Authentication for high-risk accounts. Implement Conditional Access policies to enforce stricter authentication controls where possible.

• Train employees to recognize phishing tactics, especially those that do not involve malicious links or attachments. Encourage users to verify unexpected authentication requests before proceeding.

• Regularly review authentication logs for unusual activity, such as unexpected device code logins. Implement alerts for logins from uncommon locations or unknown devices.