Russian Threat Actors Exploit Microsoft Device Code Authentication in Widespread Attacks
Volexity has uncovered multiple Russian threat actors employing sophisticated social engineering and spear-phishing campaigns to compromise Microsoft 365 accounts via Device Code Authentication phishing. These attacks exploit the less-familiar Device Code Authentication workflow, making them difficult for users to recognize as phishing attempts. The campaigns, often politically themed (e.g., focusing on the US administration), impersonate individuals from organizations like the US Department of State and the Ukrainian Ministry of Defence, luring victims into fake Microsoft Teams meetings or application access. Volexity is tracking three threat actors, one potentially linked to CozyLarch (overlapping with DarkHalo, APT29). The effectiveness of this attack stems from exploiting users' unfamiliarity with device code authentication, bypassing traditional security measures. Volexity recommends organizations block device code authentication via conditional access policies and enhance user security awareness training.