Suspected Russian threat actors have been taking advantage of Microsoft Device Code Authentication to trick targets into granting them access to their Microsoft 365 (M365) accounts. The attackers usually impersonate US, Ukrainian, and EU government officials or researchers at prominent institutions, and reach out to the targets via social media or messaging apps such as Signal. The attack continues via email with a fake invitation. If the target enters the alphanumeric code, their username, their password, and second authentication factor, the threat actor captures the access and refresh tokens generated after the target’s successful authentication and can use them to gain and maintain access to the target’s M365 account. Multiple threat actors have leveraged that access to search through emails for specific keywords (password, admin, anydesk, secret, ministry, etc.) and exfiltrate documents and information of interest.

Read more: https://www.helpnetsecurity.com/2025/02/14/microsoft-device-code-authentication-phishing-m365-account-compromise/