Security researchers at Volexity have uncovered multiple Russian threat actors conducting sophisticated social engineering and spear-phishing campaigns targeting Microsoft 365 accounts through Device Code Authentication exploitation.
The attacks, observed since mid-January 2025, involve three distinct groups: “CozyLarch (APT29),” “UTA0304,” and “UTA0307.”
The threat actors impersonate officials from organizations like the US Department of State, Ukrainian Ministry of Defence, and European Parliament to lure victims into authenticating through Microsoft’s Device Code workflow.
While the security analysts at Volexity detected that this legitimate feature, typically used for IoT devices and smart TVs, is being weaponized to gain unauthorized access to M365 accounts.
Attack Chain
The attack works by directing victims to legitimate Microsoft URLs:-
- https://login.microsoftonline.com/common/oauth2/deviceauth
- https://www.microsoft.com/devicelogin
- https://aka.ms/devicelogin
When successful, the authentication appears in Entra ID logs with these distinctive markers:-
"authenticationProtocol": "deviceCode"
"originalTransferMethod": "deviceCodeFlow"The attackers use various client IDs, with UTA0307 specifically utilizing Microsoft Teams‘:
"appDisplayName": "Microsoft Teams",
"appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264".webp)
In one notable campaign, UTA0304 used a custom Element server (sen-comms[.]com) to coordinate real-time communication with victims, ensuring they entered the device code within the 15-minute validity window.
The attackers then used VPS, Tor, and Mullvad VPN exit nodes to access compromised accounts.
.webp)
Organizations can protect themselves by implementing conditional access policies to block Device Code Authentication.
Monitoring for deviceCode authentication protocol in sign-in logs is crucial for detection. The campaigns have proven highly effective, surpassing traditional phishing methods’ success rates.
This is partly since the attacks leverage legitimate Microsoft infrastructure, making them harder to detect through conventional security measures.
Organizations are advised to evaluate their Device Code Authentication usage and implement appropriate monitoring and blocking measures.
User awareness training should be updated to include this attack vector, as the workflow differs significantly from typical phishing attempts.
IOCs
Key domains associated with UTA0304 include:-
- sen-comms[.]com (107.189.27.41)
- afpi-sec[.]com (144.172.113.77)
- chromeelevationservice[.]com (167.88.162.72)
- comms-net[.]com (107.189.26.199)
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free