UNK_AcademicFlare Microsoft 365 device code phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The UNK_AcademicFlare phishing campaign is actively stealing Microsoft 365 credentials through device code authentication abuse, creating account takeover risk for organizations across government, think tanks, higher education, and transportation in the U.S. and Europe. The operation has been active since September 2025 and uses trust-building outreach from compromised email accounts. It matters because the same login flow can yield valid access tokens that let operators take over accounts without needing a password reset. The campaign shows how a low-friction phishing method can be reused at scale against sensitive organizations.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
UNK_MassTraction Roundcube university exploitation campaign
Campaign
H score41
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
About this happening:
The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
UNK_MassTraction Roundcube university exploitation campaign
CampaignAbout this happening: The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...
Timeline
-
19.12.2025 19:54 2 articles · 6mo ago
UNK_AcademicFlare device code phishing disclosure
Initial DisclosureProofpoint attributed the UNK_AcademicFlare phishing campaign to a suspected Russia-aligned group using device code authentication workflows to steal Microsoft 365 credentials and take over accounts at government, think tank, higher education, and transportation targets in the U.S. and Europe. The campaign used compromised email addresses to build rapport, sent victims to a Cloudflare Worker page that mimicked Microsoft OneDrive, and redirected them to the legitimate Microsoft device code login URL so entered codes could generate access tokens for account takeover. Defenders were advised to block device code flow with a Conditional Access policy using the Authentication Flows condition, or restrict the flow to approved users, operating systems, or IP ranges.
Show sources
- Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers — thehackernews.com — 19.12.2025 19:54
- Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers — thehackernews.com — 19.12.2025 19:54