Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

UNK_AcademicFlare

Also known asunk_academicflare

UNK_AcademicFlare is a suspected Russia-aligned threat actor tracked by Proofpoint. Since at least September 2025, the group has conducted device code phishing campaigns that abuse Microsoft OAuth 2.0 device authorization workflows to steal Microsoft 365 credentials and obtain tokens for account takeover. The actor uses compromised government and military email accounts to build rapport with targets and then sends links, including Cloudflare Worker URLs spoofing OneDrive, that direct victims into a device code phishing flow on legitimate Microsoft device login pages. Reported targets include government, think tanks, higher education/academic organizations, and transportation sectors in the U.S. and Europe. The activity is described as sophisticated social engineering and is part of broader Russia-aligned adoption of device code phishing. No additional aliases or sub-groups are directly supported in the provided content beyond the tracked name UNK_AcademicFlare.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.006
Web Services
T1586
Compromise Accounts
T1586.002
Email Accounts
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566×3
Phishing
T1566.002
Spearphishing Link
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1098
Account Manipulation
T1098.003
Additional Cloud Roles
TA0004
Privilege Escalation
2 techniques
T1078
Valid Accounts
T1098
Account Manipulation
T1098.003
Additional Cloud Roles
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1528×2
Steal Application Access Token
TA0010
Exfiltration
1 technique
T1020
Automated Exfiltration
IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
bleeping computerNews
Apr 1, 2026
New EvilTokens service fuels Microsoft device code phishing attacks

Referenced as a Russian threat group that has used device code phishing attacks to hijack Microsoft accounts.

Read more
the hacker newsNews
Mar 25, 2026
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Named activity cluster attributed as Russia-aligned and linked to device code phishing attacks against Microsoft 365 identities.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Russia-aligned/suspected Russia-aligned phishing activity using Microsoft 365 device-code phishing to steal credentials and perform account takeovers.

Read more
cyber security newsNews
Dec 22, 2025
Hackers Using Phishing Tools to Access M365 Accounts via OAuth Device Code

UNK_AcademicFlare is a suspected Russia-aligned threat group conducting sophisticated social engineering and OAuth device code phishing campaigns targeting government officials, think tank researchers, and university staff.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.