Threat actors are using legitimate Microsoft feature to compromise M365 accounts
Suspected Russian threat actors have been taking advantage of Microsoft Device Code Authentication to trick targets into granting them access to their Microsoft 365 (M365) accounts.
“While Device Code Authentication attacks are not new, they appear to have been rarely leveraged by nation-state threat actors. Volexity’s visibility into targeted attacks indicates this particular method has been far more effective than the combined effort of years of other social engineering and spear-phishing attacks conducted by the same (or similar) threat actors,” Volexity threat analysts noted.
“It appears that these Russian threat actors have made a concerted effort to launch several campaigns against organizations with a goal of simultaneously abusing this method before the targets catch on and implement countermeasures.”
The attacks, from the victim’s perspective
The attacks have been spotted both by Volexity and Microsoft threat analysts. Volexity indentified several social-engineering and spear-phishing campaigns in January 2025, while Microsoft says that the attacks have been going on since August 2024.
The campaigns are limited to specific targets in government organizations, non-governmental organizations, and a variety of industries in multiple regions.
The attackers usually impersonate US, Ukrainian, and EU government officials or researchers at prominent institutions, and reach out to the targets via social media or messaging apps such as Signal.
Threat actor reaches via Signal to prepare the ground for the attack (Source: Microsoft)
“Communications carried a variety of different themes and messages, but they all ultimately resulted in the attacker inviting the targeted user to one of the following: Microsoft Teams Meeting / Video Conference, access to applications and data as an external M365 user, or a chatroom on a secure chat application [Element],” Volexity researchers explained.
The attack continues via email: a fake invitation is sent that points to https://microsoft.com/devicelogin, which redirects to https://login.microsoftonline.com/common/oauth2/deviceauth, the page used for the Microsoft Device Code Authentication workflow, which shows:
The dialog box shown by the Microsoft Device Code Authentication page (Source: Volexity)
If the target enters the alphanumeric code provided in the fake invitation, along with their username, password and second authentication factor (where required), the threat actor captures the access and refresh tokens generated after the target’s successful authentication and can use them to gain and maintain access to the target’s M365 account.
How the attack works (Source: Volexity)
Multiple threat actors have leveraged that access to search through emails for specific keywords (password, admin, anydesk, secret, ministry, etc.) and exfiltrate documents and information of interest. Microsoft has also spotted them sending additional phishing messages containing links for Device Code Authentication from the compormised account to other users in the target organization.
What is the Device Code Authentication workflow?
Device Code Authentication workflow, as described by Microsoft, “allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.”
In effect, the attackers are misusing this helpful option to gain access to targets’ M365 accounts, after first priming the target with clever social engineering.
The high success rate of these attacks is due to several factors:
- The phishing emails are unlikely to be identified as malicious, as they do not contain malicious links or attachments
- Users are less aware of attacks that leverage legitimate services
- The account compromise is unlikely to be spotted quickly, as the application with which the attacker is authenticating will show in the M365 logs “legitimate”.
This avenue of attack is not new, but has been used rarely so most people are not familiar with it and are unlikely to be suspicious.
Mitigations and detection advice
“It is possible for organizations to create a conditional access policy that disallows device code authentication altogether,” Volexity says.
This is the most effective way to prevent this potential attack vector, though doing this is not possible for those organizations that need the device code authentication capability for legitimate purposes.
Those orgs should monitor Microsoft Entra ID sign-in logs and analyze sign-ins that show specific values associated with Device Code Authentications: “authenticationProtocol”: “deviceCode” and “originalTransferMethod”: “deviceCodeFlow”.
“The frequency and legitimacy of these values occurring in the sign-in logs for a particular organization may vary, as this is a legitimate Microsoft feature. An organization can evaluate their risk and usage of these workflows, and potentially use this information as a proactive detection mechanism,” the company added.
If an organization monitors URLs accessed by users / received via email, the apperance of the following URLs can point to phishing attacks using Device Code Authentication:
- https://login.microsoftonline.com/common/oauth2/deviceauth
- https://www.microsoft.com/devicelogin
- https://aka.ms/devicelogin
“If suspected (…) device code phishing activity is identified, revoke the user’s refresh tokens by calling revokeSignInSessions,” Microsoft advises. Changing the account password is not enough to boot out the attacker from the compromised account: the attacker has the obtained both the access token and the refresh token, and can use the latter to request a new access token.
Volexity has also provided indicators of compromise associated with the campaigns they detected.