Cybersecurity experts warn of new Microsoft 365 phishing attacks tied to Russian groups

Cybersecurity researchers have warned about a sophisticated phishing campaign targeting Microsoft 365 users, allegedly linked to a Russia-aligned threat actor abusing device code authentication to hijack accounts.

The campaign, active since September 2025, is being tracked by enterprise security firm Proofpoint under the name UNK_AcademicFlare. 

According to researchers, the attackers rely on compromised email accounts from government and military organisations to launch highly targeted phishing attempts.

These stolen email identities are used to contact victims across government agencies, think tanks, higher education institutions, and transportation sectors in the United States and Europe. 

Proofpoint noted that the outreach often appears legitimate at first, focusing on professional topics related to the recipient’s expertise to build trust and arrange a fake meeting or interview.

As part of the scheme, victims are sent a link to a document supposedly containing interview questions or discussion points. 

The link directs users to a Cloudflare Workers URL designed to impersonate the sender’s Microsoft OneDrive page. 

In reality, this process redirects users to a legitimate Microsoft device code login page. 

Once the code is entered, an access token is generated, allowing attackers to seize control of the victim’s account.

For those unversed, device code phishing was previously detailed by Microsoft and Volexity in February 2025, with attribution to Russian-linked groups such as Storm-2372 and APT29.