A threat group, likely linked to Russia, is targeting Microsoft 365 accounts by exploiting a process called device code phishing.
This technique is used against people working in government, NGOs, IT, defense, telecommunications, healthcare, and energy sectors across Europe, North America, Africa, and the Middle East.
The attackers take advantage of the authentication flow meant for devices without keyboards, such as smart TVs or IoT gadgets. They start by posing as a well-known or relevant contact over messaging platforms like WhatsApp, Signal, or Microsoft Teams. After establishing trust, they send a fake meeting invitation that includes an attacker-generated device code.
When a victim enters this code on a genuine Microsoft sign-in page, the attackers gain access to their email, cloud storage, and other services without needing the actual password. With stolen tokens that can be refreshed using a specific Microsoft Authentication Broker client ID, the hackers can even register devices to Microsoft’s Entra ID system, which helps them maintain long-term access.
To defend against this threat, organizations should consider disabling device code authentication where possible, enforce Conditional Access policies to limit sign-ins to trusted devices and networks and monitor sign-in logs for unusual activity. Revoking compromised tokens immediately can also help prevent unauthorized access.
