Hackers from Russia and China are using “device code phishing” to hijack Microsoft 365 accounts. Here is how a legitimate login feature became a trap.
For years, the “device code” was a digital convenience—a simple way to link a smart TV or a new laptop to a Microsoft account. Now, it has become a potent weapon for state-sponsored spies and common cyber-criminals alike.
In a report released Thursday, the cybersecurity firm Proofpoint warned that a technique known as “device code phishing” is being aggressively deployed to bypass modern security defenses. The culprits range from sophisticated hacking collectives in Russia and China to freelance digital extortionists, all targeting the ubiquitous Microsoft 365 ecosystem.
“This is a social engineering method that abuses a legitimate and trusted workflow,” Sarah Sabotka, a staff threat researcher at Proofpoint, said in an interview. By masquerading as an official authorization process, the attack turns a user’s own security habits against them.
The Mechanics of the Trap
The bait typically arrives as a routine-looking email containing a QR code or a disguised hyperlink. When a user clicks, they are directed to a legitimate Microsoft authorization page and provided with a “device code.”
The deception is elegant in its simplicity: the user is instructed to enter this code as if it were a one-time password. In reality, by entering the code, the victim is not logging themselves in—they are validating a security token for the hacker. Once confirmed, the intruder gains full, persistent access to the victim’s Microsoft 365 account, often bypassing multi-factor authentication entirely.
Also Read: The Unified Security Approach MSPs Need Now
State-Sponsored Predators
The report identifies a diverse cast of adversaries leveraging this tactic:
- The Russian Front: A group dubbed UNK_AcademicFlare has been active since September, using hijacked government and military email addresses to target think tanks, universities, and transportation hubs across the United States and Europe.
- The Chinese Connection: State-aligned groups have adopted the method to penetrate high-value corporate and political networks.
- The Cyber-Mercenaries: A criminal actor known as TA2723 has been caught selling sophisticated kits, such as “SquarePhish2” and “Graphish,” on dark-web forums, effectively democratizing the ability to launch these high-level attacks.
A Growing Blind Spot
The “Graphish” kit is particularly concerning to researchers. It enables even low-level hackers to create highly convincing phishing pages that utilize Azure app registrations, making the fake login pages nearly indistinguishable from the genuine ones.
Microsoft, while not commenting directly on the new findings, pointed to previous research regarding a Russia-linked group, Storm-2372, which has been honing similar techniques since mid-2024.
As these “adversary-in-the-middle” attacks grow more common, security experts warn that the era of simply trusting a legitimate-looking URL is over. For the modern office worker, a “one-time password” may now be a one-time ticket for a hacker to move in.
