Cybersecurity

UNK_AcademicFlare: The Wolf Has Learned to Forge Grain Vouchers, and the Flock Lines Up to Redeem Them

Victor Woolridge

2 min read
UNK_AcademicFlare: The Wolf Has Learned to Forge Grain Vouchers, and the Flock Lines Up to Redeem Them

Victor Woolridge, Senior Legacy Architect & Paranoia Consultant

I have been warning about this for years. The Sky Pasture was never to be trusted. And now, as predictable as a lamb walking toward a suspicious pile of oats, we have confirmation that the wolves have refined their luring techniques to an almost elegant degree.

Proofpoint has identified a threat cluster they are calling UNK_AcademicFlare. Russian wolves, almost certainly. They have been conducting a rather sophisticated hooking campaign since September 2025, and their methodology deserves our grudging respect, if not our terror.

The scheme exploits device code authentication workflows in Microsoft 365. For those of you who do not remember when authentication meant a physical key and a stern handshake, allow me to explain. Device code authentication was designed for situations where typing credentials is impractical. A device displays a code, the user enters it elsewhere, and access is granted.

The wolves have weaponized this convenience.

They compromise government email addresses. Real addresses. Trusted addresses. Then they send messages to the flock, instructing them to enter authentication codes on legitimate Microsoft pages. The lambs comply. Why would they not? The grain appears authentic. The trough looks familiar.

And just like that, the wolf has the keys to the entire pasture.

In the old days, we verified everything. Twice. Sometimes three times if the operator looked suspicious. Now the flock clicks links from strangers because the interface has pleasing colors.

This is what happens when you move your entire operation to the Sky Pasture and forget that predators can fly.

Remediation

  1. Disable device code authentication flows unless absolutely necessary. If your organization requires them, implement conditional access policies with extreme prejudice.
  2. Train the flock. I am aware that training is considered passé in modern security circles. I do not care. Drill into their woolen heads that unsolicited authentication requests are fake grain, regardless of how official they appear.
  3. Monitor for anomalous sign-in patterns. If a lamb suddenly authenticates from a location 4,000 kilometers away, perhaps investigate before the wolf has finished shearing them.
  4. Implement phishing-resistant MFA. FIDO2 keys. Hardware tokens. Things you can hold in your hand. Things that existed before everything became a cloud abstraction.
  5. Assume compromise. Review all accounts that received suspicious messages. The wolves are patient. They may be inside already, waiting.

I miss magnetic tape. You could not phish magnetic tape.

Original Report: https://thehackernews.com/2025/12/russia-linked-hackers-use-microsoft-365.html