Full Report
A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims' Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government
Analysis Summary
# Threat Actor: UNK_AcademicFlare
## Attribution & Identity
* **Attribution:** Suspected Russia-aligned group.
* **Known Aliases & Associated Groups:** Tracked by Proofpoint under the moniker **UNK_AcademicFlare**. The article notes that the device code phishing tactic is also used by other Russia-aligned clusters, including Storm-2372, APT29, UTA0304, and UTA0307 (though direct attribution of this specific campaign to those groups is not made).
## Activity Summary
* **Campaign Name:** Phishing campaign employing device code authentication workflows.
* **Duration:** Ongoing since September 2025.
* **Operations:** The primary objective is conducting **Microsoft 365 account takeover (ATO)** attacks. The attackers use compromised email addresses, often belonging to government and military organizations, to establish rapport with targets, often related to the target’s area of expertise, to arrange fictitious meetings or interviews. They then send a link that seemingly leads to a document, which initiates the device code phishing sequence.
* **Related Activity:** The article notes that the availability of tools like **Graphish** and **SquarePhish** has lowered the barrier to entry for this sophisticated phishing tactic, which is also being adopted by financially motivated groups like **TA2723**.
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing using compromised email addresses.
* **Lure:** Fictitious meeting/interview setup, directing victims to review a linked "document."
* **Delivery Method:** A URL hosted on a **Cloudflare Worker** mimicking the compromised sender’s Microsoft OneDrive account.
* **Technique:** **Device Code Authentication Phishing** (sometimes referred to as OAuth Phishing). This involves tricking the user into copying a provided code, entering it on a legitimate Microsoft device code login URL, and subsequently recovering the access token generated by the service upon successful authentication.
* **Tools Used (Associated):** SquarePhish (red-team tool), Graphish (crimeware/phishing kit).
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but the tactic aligns heavily with **T1566.001 (Spearphishing Attachment/Link)** and techniques related to **T1553 (Subvert Trust Controls)** via OAuth abuse.
## Targeting
* **Sectors:** Government, Think Tanks, Higher Education, and Transportation sectors.
* **Geography:** U.S. and Europe.
* **Victims:** Specialists focusing on Russia-related topics at think tanks; Ukrainian government and energy sector organizations.
## Tools & Infrastructure
* **Malware Families Used:** Not specified for UNK_AcademicFlare specifically, but the activity leverages phishing kits/tools.
* **Infrastructure (C2, domains, IPs):** Highly relies on **Cloudflare Worker URLs** to host the initial redirection page.
## Implications
* The actor poses a significant threat by successfully executing sophisticated account takeover attacks targeting sensitive government and think tank personnel using **living off the land** tactics facilitated by legitimate cloud worker infrastructure.
* The adoption of user-friendly crimson tools like SquarePhish suggests this attack methodology is scaling and becoming accessible to less technically sophisticated actors, increasing overall proliferation risk.
## Mitigations
* **Primary Defense:** Create a Conditional Access policy in Microsoft 365 using the **Authentication Flows condition** to **block the device code flow** for all users.
* **Secondary Defense:** If blocking outright is not feasible, implement an allow-list approach to restrict device code authentication based on approved users, operating systems, or IP ranges.