Russian Hackers Abuse Device Code Flow to Infiltrate Microsoft 365 Accounts

Cybersecurity researchers have discovered a new watering hole campaign orchestrated by a Russian state-sponsored hacking group. The operation exploits Microsoft’s device code authentication flow to trick users into authorizing attacker-controlled devices, granting them unauthorized access to Microsoft 365 accounts.

How did Russian hackers exploit Microsoft authentication?

According to Amazon’s threat intelligence team, the Russian threat actor (also known as Midnight Blizzard) linked to the SVR (Foreign Intelligence Service) launched a watering hole campaign. It involved compromising legitimate websites and injecting malicious JavaScript to redirect visitors to attacker-controlled domains. These domains mimicked Cloudflare verification pages and targeted Microsoft’s device code authentication flow, which tricked users into authorizing attacker-controlled devices.

The Amazon security team discovered this sophisticated campaign by analyzing traffic patterns with custom-built analytics tools. They found that around 10 percent of users visiting compromised websites were being secretly redirected to malicious domains. The attackers used advanced techniques like hiding code through obfuscation and Base64 encoding, evading detection with cookies, and quickly switching their infrastructure (such as moving from client-side scripts to server-side redirects) to target the victims.

“Our investigation uncovered an opportunistic watering hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,” Amazon’s Chief Information Security Officer CJ Moses, explained.

Amazon confirmed that its systems were not compromised during the cyberattack. In response to the threat, the company isolated the affected EC2 instances and collaborated with Cloudflare and Microsoft to disrupt the campaign. Amazon also monitored the attackers’ migration to other cloud platforms and proactively shared its findings with the broader security community.

Recommendations for users and security teams

Amazon recommends that end users must be cautious when browsing, especially if they encounter unexpected redirects or verification pages that appear suspicious. Moreover, it’s important to verify any device authorization requests before approving them to ensure they are legitimate. Amazon also advises enabling multi-factor authentication (MFA) on all accounts and avoiding running commands from unfamiliar sources.

Lastly, security teams are advised to review and possibly disable Microsoft’s device code authentication flow if it’s not necessary for their organization. Moreover, they must implement conditional access policies to control how and when users authenticate, based on factors such as device health, location, and risk level. It’s also advised to monitor authentication logs for unusual activity (especially new device authorizations), which could indicate an ongoing cyberattack.