Skip to main content
close search
site logo

State-linked and criminal hackers use device code phishing against M365 users

Russia-linked groups have attacked multiple sectors in recent months.

Published Dec. 19, 2025
David Jones's headshot
Reporter
The Microsoft logo is pictures on the technology company's headquarters in Redmond, Washington, on July 3, 2024.
Microsoft's headquarters in Redmond, Wash., on July 3, 2024. Threat groups are using device code phishing to target M365 users in recent hacking campaigns. Getty Images

Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint

Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 

“This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive. 

The technique involves sending a message with a URL that is embedded behind hyperlinked text or within a QR code. When a user engages the link it starts an attack sequence that uses a legitimate Microsoft device authorization process, according to Proofpoint. 

After the process begins, a user is provided a device code. The code arrives on the landing page or in a secondary email, according to Proofpoint. The user is told to enter the device code as a one-time password. Once that is done, a token is validated and the hacker gains access to the M365 account. 

Threat groups are using tools like SquarePhish2 or the Graphish phishing kit to launch attacks. The Graphish phishing kit allows hackers to create highly convincing phishing pages that leverage Azure app registrations and reverse proxy setups used in adversary-in-the-middle attacks.

The cybersecurity firm warned a criminal actor tracked under the name TA2723 has been offering a malicious tool for sale on hacking forums that can be used for such attacks. Researchers identified a campaign starting in early October in which the hacker deployed SquarePhish2 and a second campaign using Graphish. 

A Russia-aligned group tracked under the name UNK_AcademicFlare is linked to a campaign that was first identified in September. The attacks use compromised emails from multiple governments and military organizations to target governments, think tanks, higher education and transportation sectors in the U.S. and Europe. 

Microsoft did not comment on the research, but the company provided links to a prior research report in February that outlined a device code phishing campaign from a Russia-linked group tracked as Storm-2372. That group has been engaged in such attacks since August 2024, using a variety of techniques. 

The company also released guidance from October about threats against Microsoft Teams.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Flash Renews HITRUST Certification
From Flash
December 17, 2025
Flash logo
Black Hat MEA 2025: AI-Ready Visibility and Autonomous Edge Guardian Showcased by Genians and …
From Genians
December 01, 2025
Genians logo
Inventor Secures Patent for Real-Time Agile Quantum Resilient AES GCM
From LabCyfer
December 10, 2025
LabCyfer logo
Cellebrite Completes Acquisition of Corellium, Extending the Industry’s Most AdvancedAI-Powere…
From Cellebrite
December 10, 2025
Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.