"The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. "Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets' area of expertise to ultimately arrange a fictitious meeting or interview," the enterprise security company said."
"As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click "Next" to access the supposed document."
UNK_AcademicFlare has conducted a phishing campaign since September 2025 that leverages device code authentication flows to obtain Microsoft 365 access tokens and enable account takeover. The adversary uses compromised email addresses from government and military organizations to engage targets in benign outreach, build rapport, and arrange fictitious meetings or interviews. Victims are sent Cloudflare Worker links that mimic OneDrive and are instructed to copy a code and click "Next," which then redirects to the legitimate Microsoft device code login to generate an access token that attackers recover. Multiple security firms linked this method to Russia-aligned threat clusters and warned of continued abuse.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]