Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication

Security researchers at Volexity have uncovered multiple Russian threat actors conducting sophisticated social engineering and spear-phishing campaigns targeting Microsoft 365 accounts through Device Code Authentication exploitation. The threat actors impersonate officials from organizations like the US Department of State, Ukrainian Ministry of Defence, and European Parliament to lure victims into authenticating through Microsoft’s Device Code workflow. In one notable campaign, UTA0304 used a custom Element server (sen-comms[.]com) to coordinate real-time communication with victims, ensuring they entered the device code within the 15-minute validity window. While the security analysts at Volexity detected that this legitimate feature, typically used for IoT devices and smart TVs, is being weaponized to gain unauthorized access to M365 accounts. Organizations are advised to evaluate their Device Code Authentication usage and implement appropriate monitoring and blocking measures. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Organizations can protect themselves by implementing conditional access policies to block Device Code Authentication.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 10:00:16 +0000

Cyber News related to Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication

Veeam adds BaaS capabilities for Veeam Backup for Microsoft 365 - Veeam Software has expanded its relationship with Microsoft. Veeam is making it easier for customers to protect Microsoft 365 with Cirrus by Veeam which brings the ease and flexibility of Backup-as-a-Service for Microsoft 365. Utilizing the power and ...
1 year ago Helpnetsecurity.com

Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com

New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com

CISA Warns of Compromised Microsoft Accounts - CISA issued a fresh CISA emergency directive in early April instructing U.S. federal agencies to mitigate risks stemming from the breach of numerous Microsoft corporate email accounts by the Russian APT29 hacking group. The directive is known as ...
10 months ago Securityboulevard.com

CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
10 months ago Bleepingcomputer.com

Multiple Russian Actors Attacking Orgs To Hack Microsoft 365 Accounts via Device Code Authentication - Security researchers at Volexity have uncovered multiple Russian threat actors conducting sophisticated social engineering and spear-phishing campaigns targeting Microsoft 365 accounts through Device Code Authentication exploitation. The threat ...
3 days ago Cybersecuritynews.com

Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com

Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
2 years ago Bleepingcomputer.com

HPE: Russian hackers breached its security team's email accounts - Hewlett Packard Enterprise disclosed today that suspected Russian hackers known as Midnight Blizzard gained access to the company's Microsoft Office 365 email environment to steal data from its cybersecurity team and other departments. Midnight ...
1 year ago Bleepingcomputer.com

Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
1 year ago Bleepingcomputer.com

Microsoft 365 To Block Downloaded Excel XLL Add-Ins To Boost Security - Microsoft has recently announced that in order to help improve security, Microsoft 365 is now blocking the download of XLL add-ins for Excel on both Window PCs and Apple Macs. This new feature will be put into effect early 2021, affecting both Office ...
2 years ago Bleepingcomputer.com

Russian Spies Hacked Microsoft Email Systems & Accessed Code - Microsoft has disclosed that Russian government hackers, identified as the group Midnight Blizzard, have successfully infiltrated its corporate email systems and stolen source codes. Microsoft's announcement on March 8, 2024, detailed that Midnight ...
11 months ago Cybersecuritynews.com

Microsoft fixes Outlook Desktop crashes when sending emails - Microsoft has fixed a known issue causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts. These problems were first reported on Microsoft's community website and other social networks by customers saying they were ...
1 year ago Bleepingcomputer.com

FSB arrests Russian hackers working for Ukrainian cyber forces - The Russian Federal Security Service arrested two individuals believed to have helped Ukrainian forces carry out cyberattacks to disrupt Russian critical infrastructure targets. Both suspects were taken into custody one same day in two different ...
1 year ago Bleepingcomputer.com

Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
1 year ago Bleepingcomputer.com

Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024 - With these security concerns top of mind, there is no surprise that in the last five years, the Modern Endpoint Security market has nearly tripled in size to defend against emerging, sophisticated, and persistent threats. Microsoft Defender for ...
11 months ago Techcommunity.microsoft.com

Microsoft: Hackers steal emails in device code phishing attacks - "The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such ...
4 days ago Bleepingcomputer.com

Russian state hackers spy on Ukrainian military through Signal app | The Record from Recorded Future News - Google said that while these recent attacks were likely driven by wartime demands to access sensitive government and military communications in the context of Russia’s invasion of Ukraine, researchers expect attacks on Signal to grow and spread to ...
19 hours ago Therecord.media

Who Is Behind Pro-Ukrainian Cyberattacks on Iran? - COMMENTARY. Ukrainian cyber forces have attacked Russian infrastructure and assets almost since the first day of the Russian invasion of Ukraine on Feb. 24, 2022. While its mainstay is denial-of-service attacks that have knocked out the Russian ...
1 year ago Darkreading.com

Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com

Microsoft deprecates Defender Application Guard for Office - Microsoft is deprecating Defender Application Guard for Office and the Windows Security Isolation APIs, and it recommends Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control as an ...
1 year ago Bleepingcomputer.com

Midnight Blizzard: Russian Threat Actors Behind Microsoft Corporate Emails' Breach - On Friday, Microsoft informed that some of its corporate accounts suffered a breach in which some of its data was compromised. The attack was first detected on January 12th, and Microsoft in its initial investigation attributed the attack to the ...
1 year ago Cysecurity.news

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com

Latest Cyber News

Fedora Linux Kernel Vulnerability Let Attackers Gain Access to Sensitive Data - 2 minutes ago
Multiple NVIDIA CUDA Toolkit Vulnerabilities Let Attackers Trigger DoS - 17 minutes ago
Microsoft Power Pages 0-Day Vulnerability Exploited in the Wild - 43 minutes ago
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - 43 minutes ago
Microsoft Admin Guide to Block & Remove Apps on Endpoints - 1 hour ago
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - 1 hour ago
Symantec Diagnostic Tool Vulnerability Let Attackers Escalate Privileges - 1 hour ago
NSA Added New Features to Supercharge Ghidra 11.3 - 2 hours ago
New NailaoLocker ransomware used against EU healthcare orgs - 2 hours ago
Ghost Ransomware Compromised Organisations Across 70+ Countries - 2 hours ago
Windows Disk Cleanup Tool Vulnerability Exploited to Gain SYSTEM Privileges - 6 hours ago
Citrix NetScaler Vulnerability Allows Unauthorized Command Execution - 8 hours ago
Australian Infrastructure Faces 'Acute' Foreign Threats - 8 hours ago
Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely - 8 hours ago
Hackers Weaponize Jarsigner App To Execute XLoader Malware - 9 hours ago
New Snake Keylogger Attacking Chrome, Edge, and Firefox Users - 10 hours ago
Insight Partners, VC Giant, Falls to Social Engineering - 11 hours ago
Russian Groups Target Signal Messenger in Spy Campaign - 12 hours ago
CVE-2023-51303 - 13 hours ago
CVE-2025-25196 - 13 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

Fedora Linux Kernel Vulnerability Let Attackers Gain Access to Sensitive Data - 2 minutes ago
Multiple NVIDIA CUDA Toolkit Vulnerabilities Let Attackers Trigger DoS - 17 minutes ago
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - 43 minutes ago
Microsoft Power Pages 0-Day Vulnerability Exploited in the Wild - 43 minutes ago
Microsoft Admin Guide to Block & Remove Apps on Endpoints - 1 hour ago
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - 1 hour ago
Symantec Diagnostic Tool Vulnerability Let Attackers Escalate Privileges - 1 hour ago
NSA Added New Features to Supercharge Ghidra 11.3 - 2 hours ago
New NailaoLocker ransomware used against EU healthcare orgs - 2 hours ago
Ghost Ransomware Compromised Organisations Across 70+ Countries - 2 hours ago
Content Credentials Show Promise, But Ecosystem Still Young - 14 hours ago
Windows Disk Cleanup Tool Vulnerability Exploited to Gain SYSTEM Privileges - 6 hours ago
Citrix NetScaler Vulnerability Allows Unauthorized Command Execution - 8 hours ago
Australian Infrastructure Faces 'Acute' Foreign Threats - 8 hours ago
Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely - 8 hours ago
Hackers Weaponize Jarsigner App To Execute XLoader Malware - 9 hours ago
New Snake Keylogger Attacking Chrome, Edge, and Firefox Users - 10 hours ago
CVE-2025-26466 - 2 days ago
CVE-2024-45775 - 1 day ago
CVE-2024-45776 - 1 day ago