Full Report
KEY TAKEAWAYS Volexity has observed multiple Russian Threat Actors conducting social-engineering and spear-phishing campaigns targeting organizations with the ultimate goal of compromising Microsoft 365 accounts via Device Code Authentication phishing. Device Code Authentication phishing follows an atypical workflow to that expected by users, meaning users may not recognize it as phishing. Recent campaigns observed have been politically themed, particularly around the new administration in the United States and the changes this might mean for nations around the world. Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal. Through its investigations, Volexity discovered that Russian threat actors were impersonating […] The post Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication appeared first on Volexity.
Analysis Summary
# Threat Actor: Russian Threat Actors (Tentatively attributed to CozyLarch, UTA0304, UTA0307)
## Attribution & Identity
**Attribution:** Assessed with high confidence as Russia-based threat actors by Volexity.
**Known Aliases and Associated Groups:** Activity is currently tracked under three groups, with *at least one* tentatively assessed with medium confidence as **CozyLarch** (overlapping with DarkHalo, APT29, Midnight Blizzard, CozyDuke). The other tracked entities are **UTA0304** and **UTA0307**.
## Activity Summary
Beginning in mid-January 2025, Volexity observed multiple highly targeted social-engineering and spear-phishing campaigns aimed at compromising Microsoft 365 (M365) accounts. Campaigns carried politically themed messages, particularly referencing changes related to the new US administration. The attacks often involved impersonating high-ranking officials from entities such as the US Department of State, the Ukrainian Ministry of Defence, the European Union Parliament, and prominent research institutions. Initial contact was via spear-phishing emails or direct outreach via Signal. Successful compromise led the attacker to invite the target user to a Microsoft Teams Meeting, access data as an external M365 user, or join a secure chat application (e.g., Element). Post-exploitation showed variation, including the use of scripts or native applications to access materials, and the use of VPS/Tor addresses for persistence.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing (email) and targeted social engineering via secure chat applications (Signal).
- **Authentication Bypass/Compromise:** Exclusive use of **Device Code Authentication phishing** workflows to compromise M365 accounts.
- **Post-Compromise:** Accessing stolen account data via scripts (e.g., using the `python-requests/2.25.1` User-Agent string) or native applications.
- **Evasion:** Device Code Authentication is effective because it bypasses many traditional detection methods (no malicious link/attachment, success relies on a legitimate Microsoft service URL, and post-authentication logs appear to originate from benign applications).
## Targeting
- **Sectors:** Not explicitly detailed, but the targets' impersonations suggest a focus on government, defense, and policy/research entities.
- **Geography:** Not explicitly detailed, but heavy thematic focus on the US administration and Ukrainian Ministry of Defence suggests operations targeting US and European entities connected to international policy.
- **Victims:** A customer of Volexity was compromised via the M365 account of a user impersonating a Ukrainian Ministry of Defence official.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned, but exploitation relied on leveraging legitimate M365 and external chat application infrastructure.
- **Infrastructure (C2, domains, IPs):** Access to compromised accounts observed from **VPS and Tor IP addresses**.
## Implications
The reported activity indicates Russian threat actors are adapting sophisticated, low-visibility authentication compromise methods (Device Code Authentication) against critical M365 environments. This technique severely hampers traditional email and network-based detection mechanisms, as the phishing payload relies on a legitimate Microsoft authentication flow, making users less likely to recognize the danger. The political themes suggest targeted intelligence gathering amidst geopolitical shifts.
## Mitigations
- Implement specific user awareness training focused on the atypical Microsoft Device Code Authentication workflow, emphasizing that legitimate links in emails should not typically lead to this dialogue box for standard M365 access.
- Develop enhanced detection signatures focusing on unusual sign-in behavior immediately following M365 authentication via Device Code, especially when access originates from unexpected hosts (VPS/Tor) or displays scripted User-Agents like Python requests.
- Review authentication logs for legitimate applications being used unusually after the MFA prompt is satisfied, which might indicate post-compromise scripting activity.