Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Feb. 14, 2025, 10:46 a.m.

Description

Russian threat actors are conducting social-engineering and spear-phishing campaigns to compromise Microsoft 365 accounts using Device Code Authentication phishing. This method has proven more effective than traditional techniques. Campaigns have targeted organizations with politically-themed lures, impersonating entities like the US Department of State and Ukrainian Ministry of Defence. Three distinct threat actors (UTA0304, CozyLarch/APT29, and UTA0307) have been identified using similar tactics but with slight variations in their approach and infrastructure. The attacks exploit users' unfamiliarity with the Device Code Authentication process, making it challenging to recognize as phishing. Detection methods and preventive measures are available but often not implemented by organizations.

External References

https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
https://otx.alienvault.com/pulse/67aeaf0e2f93d19b0ecec9ef
Tags
phishing
social engineering
russia
microsoft 365
spear-phishing
oauth
2025-02-14
device code authentication

Date

  • Created: Feb. 14, 2025, 2:48 a.m.
  • Published: Feb. 14, 2025, 2:48 a.m.
  • Modified: Feb. 14, 2025, 10:46 a.m.

Attack Patterns

  • CozyLarch, UTA0304, UTA0307
  • T1589
  • T1586
  • T1528
  • T1534
  • T1550
  • T1539
  • T1530
  • T1598
  • T1204
  • T1584
  • T1566
  • T1078

Additional Informations

  • Research
  • Defense
  • Government
  • Ukraine
  • United States of America