Russian spies exploit device code phishing to hijack Microsoft accounts

In Russia, a sophisticated threat has emerged that targets individuals and organizations through a method known as device code phishing, first identified in August 2024. This technique takes advantage of the OAuth standard's device code flow, enabling attackers to deceive users into providing access to their Microsoft 365 accounts. Researchers have connected this phishing campaign to Russian government operatives, who masquerade as trusted officials on messaging apps like Signal and WhatsApp. These operatives generate a malicious link that accompanies a device code, which they encourage the target to enter on their authorized browsing device. These attacks have become notably effective due to the ways the device code authorization process can obfuscate risks. Users are prompted to authenticate through pages that bear resemblance to legitimate Microsoft login gateways, but which lack clear warnings. As a result, it can be challenging for users—particularly those less technologically savvy—to recognize phishing attempts. Consequently, many who receive these requests may inadvertently provide their access codes to the attackers, unwittingly giving them prolonged access to sensitive accounts that could otherwise be protected by multi-factor authentication (MFA). The current advisory from security experts emphasizes that both Volexity and Microsoft have observed a worrying trend in the frequency and effectiveness of these attacks. The security measures positioned within Microsoft Azure, which prompt users to confirm ongoing logins, are sometimes bypassed by users who do not think critically about the source of the messaging. As the Russian operatives continue to adapt their tactics, they seize the advantage of the uncertainty prevalent in the user interface surrounding device authentication. The effectiveness of these phishing campaigns highlights an urgent need for better user education regarding device code phishing, especially as the method shows marked success compared to traditional methods of social engineering and spear phishing. Experts stress the importance of vigilance when it comes to links and pages presented during authentication process, calling for stronger safeguards at the application level to prevent such hijacks from occurring in the future.