Russia Uses Legitimate Microsoft Feature to Hijack M365 Accounts

Nation-state threat actors from Russia have been exploiting a legitimate Microsoft feature, Device Code Authentication, to gain unauthorized access to Microsoft 365 (M365) accounts. This attack method is not new but has been rarely used by nation-state actors.

Threat actors impersonate government officials or researchers and send targeted users fake invitations via social media or messaging apps like Signal. The victims are then tricked into clicking a link that redirects them to the Device Code Authentication page. If they enter the provided code, the attackers capture their access and refresh tokens, allowing them to access and maintain control of the compromised M365 account.

Multiple threat actors have used this access to search for specific keywords, exfiltrate documents, and send phishing messages from the compromised account to other users in the target organization. The attacks are successful due to several factors, including:

* Phishing emails that appear legitimate
* Users’ lack of awareness about these types of attacks
* Difficulty in detecting the attack quickly

To mitigate this threat, organizations can create a conditional access policy that disallows device code authentication or monitor Microsoft Entra ID sign-in logs for suspicious activity.

Source: https://www.helpnetsecurity.com/2025/02/14/microsoft-device-code-authentication-phishing-m365-account-compromise