Overview of the Phishing Campaign
Russia-linked hackers use device code phishing to hijack online accounts. The campaign targets cloud email users across several sectors. Researchers observed this activity starting in September 2025. Therefore, the threat remains active and evolving.
The attackers focus on organizations in the U.S. and Europe. These include government, education, and transportation groups. However, the method relies more on trust than technical flaws. This approach increases success rates.
Abuse of Trusted Email Accounts
The attackers begin by using compromised email accounts. These accounts belong to government or military organizations. Therefore, the messages appear legitimate. Victims rarely suspect malicious intent.
The emails often include friendly outreach. For example, the sender proposes interviews or meetings. However, these conversations are fake. The goal is to build trust gradually.
Fake Documents and Device Code Traps
After initial contact, attackers share a document link. The message claims it contains discussion topics. Therefore, victims feel encouraged to review it. This step advances the deception.
The link leads to a fake cloud storage page. It mimics a familiar document-sharing service. However, the page asks users to enter a device code. This request signals the attack phase.
How Device Code Phishing Works
The fake page redirects users to a real login site. Victims then enter the provided device code. Therefore, the login appears legitimate. This step completes the trap.
Once entered, the service generates an access token. Attackers capture this token remotely. As a result, they gain full account access. No password theft is required.
Account Takeover and Expanded Risks
With access, attackers read emails and files. They can also impersonate victims. Therefore, further phishing spreads quickly. The impact multiplies across networks.
Researchers noted repeated use of this method. However, the technique does not exploit software bugs. Instead, it abuses built-in authentication features. This makes detection harder.
Growing Adoption by Multiple Threat Actors
Other threat groups now use device code phishing. Some groups seek financial gain. Others pursue espionage. Therefore, the threat landscape continues to widen.
Easy-to-use phishing kits fuel this trend. These tools require little technical skill. As a result, more attackers adopt advanced methods. This lowers the barrier to entry.
Why the Attacks Are Hard to Detect
Security tools often trust device code logins. The process uses legitimate infrastructure. Therefore, alerts may not trigger. Attackers blend into normal activity.
Additionally, victims willingly approve access. However, they misunderstand the process. This confusion benefits attackers. Education remains critical.
How to Prevent Device Code Phishing
Organizations should restrict device code authentication. Conditional access policies can block unauthorized use. Therefore, attackers lose this pathway. Continuous email monitoring also helps. Endpoint and identity protection can detect unusual logins. Together, these services reduce account takeover risks significantly.
Sleep well, we got you covered.
