Security researchers at Volexity have identified Russian threat actors exploiting Microsoft 365’s Device Code Authentication for sophisticated spear-phishing attacks. Since mid-January 2025, groups including APT29 (CozyLarch), UTA0304, and UTA0307 have been impersonating officials from government agencies to trick victims into granting access to their accounts. The attacks direct users to legitimate Microsoft URLs, making detection difficult, with logs showing authentication through Entra ID markers. UTA0304 even used a custom Element server for real-time communication, ensuring victims entered codes within the 15-minute validity window. Organizations are urged to block Device Code Authentication, monitor sign-in logs, and update user awareness training to counter this emerging threat. Continue here.
