Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNK_AcademicFlare Microsoft 365 device code phishing campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The UNK_AcademicFlare phishing campaign is actively stealing Microsoft 365 credentials through device code authentication abuse, creating account takeover risk for organizations across government, think tanks, higher education, and transportation in the U.S. and Europe. The operation has been active since September 2025 and uses trust-building outreach from compromised email accounts. It matters because the same login flow can yield valid access tokens that let operators take over accounts without needing a password reset. The campaign shows how a low-friction phishing method can be reused at scale against sensitive organizations.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

CypherLoc phishing-led browser scareware campaign

Campaign
First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

Timeline

  1. 19.12.2025 19:54 2 articles · 5mo ago

    UNK_AcademicFlare device code phishing disclosure

    Initial Disclosure

    Proofpoint attributed the UNK_AcademicFlare phishing campaign to a suspected Russia-aligned group using device code authentication workflows to steal Microsoft 365 credentials and take over accounts at government, think tank, higher education, and transportation targets in the U.S. and Europe. The campaign used compromised email addresses to build rapport, sent victims to a Cloudflare Worker page that mimicked Microsoft OneDrive, and redirected them to the legitimate Microsoft device code login URL so entered codes could generate access tokens for account takeover. Defenders were advised to block device code flow with a Conditional Access policy using the Authentication Flows condition, or restrict the flow to approved users, operating systems, or IP ranges.

    Show sources
    Open in new tab