Russian Hackers Exploit Microsoft 365 Device Code Authentication Feature
2 mins read

Russian Hackers Exploit Microsoft 365 Device Code Authentication Feature

Shubham Gohar0

Russian state-sponsored hackers have launched a sophisticated campaign targeting Microsoft 365 accounts by exploiting the device code authentication feature since January 2025. The attack, first identified by Volexity, demonstrates how threat actors are leveraging legitimate authentication methods to bypass security measures and gain unauthorized access to sensitive organizational data.

Key Takeaways:

  • Russian hackers from groups including CozyLarch and Midnight Blizzard are orchestrating these attacks
  • Attackers exploit legitimate device code authentication in Microsoft 365 to bypass security
  • Threat actors use sophisticated social engineering tactics while impersonating officials
  • Compromised access tokens remain valid for up to 90 days
  • Organizations can protect themselves by disabling device code flow and implementing risk policies

Understanding the Attack Vector

The Russian hackers, identified as groups CozyLarch, UTA0304, and UTA0307, have developed a clever approach to compromising Microsoft 365 accounts. Their strategy revolves around exploiting the legitimate device code authentication feature, which is typically used for connecting IoT devices to Microsoft services. Similar to recent sophisticated phishing attacks, these actors demonstrate advanced persistent threat capabilities.

64 R8 FLUX DEV REALISM 00001

Social Engineering Tactics

The attackers employ sophisticated social engineering methods by posing as government officials or researchers. Initial contact is made through trusted platforms like Signal, WhatsApp, or Microsoft Teams. To appear legitimate, they use US-based proxy IP addresses and direct victims to authentic Microsoft login pages, making their phishing attempts highly successful.

Attack Process and Methodology

The infiltration process begins with carefully crafted messages targeting government agencies, NGOs, IT services, and critical infrastructure. Following established security practices isn’t enough, as the attackers exploit legitimate authentication workflows. Once compromised, the CozyLarch group maintains persistent access through tokens valid for up to 90 days.

Post-Compromise Activities

After gaining access, attackers conduct systematic searches within emails using specific keywords like “password” and “admin.” They utilize the Microsoft Graph API to efficiently search through compromised accounts and exfiltrate sensitive data. The compromise often leads to a spread of additional phishing attempts within the organization.

Prevention and Security Measures

Organizations can protect themselves by implementing several critical security measures. Similar to addressing other security vulnerabilities, immediate action is required. Consider using automation tools like Latenode to streamline security monitoring and response processes. Key protective measures include:

  • Disabling device code authentication flow
  • Implementing strict sign-in risk policies
  • Regular access token validation and revocation
  • Enhanced user security awareness training
  • Monitoring for suspicious authentication attempts

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts