Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Volexity details multiple highly targeted spear-phishing campaigns attributed to Russia-aligned actors (CozyLarch, UTA0304, UTA0307) that socially engineer victims into using Microsoft Device Code OAuth (device code flow) to grant persistent access to Microsoft 365 accounts; the report includes campaign themes and lures (Teams invites, Element/Signal outreach), infrastructure and IoCs, observed data exfiltration from compromised accounts, and practical detection and mitigation recommendations (Entra/Sign-in log filters and conditional access to block device code flow).