Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

ta2723

Also known asta2723

TA2723 is a financially motivated cybercriminal threat actor associated with high-volume credential phishing. Proofpoint describes TA2723 as previously known for campaigns spoofing Microsoft OneDrive, LinkedIn, and DocuSign. Beginning in October 2025, Proofpoint observed TA2723 using OAuth 2.0 device code phishing against Microsoft 365 accounts, including campaigns using salary- and benefits-themed lures, shared-document themes, and fake landing pages that directed victims to the legitimate Microsoft device authorization flow. Reported lures included salary-amended documents and salary bonus or employer benefit reports. Proofpoint assessed that early phases of these campaigns likely used the SquarePhish2 tooling, with later waves potentially shifting to the Graphish phishing kit. The activity is described as enabling Microsoft 365 account takeover and access via attacker-obtained tokens. TA2723 is also mentioned alongside other threat clusters observed using device code phishing. No additional aliases or sub-groups beyond TA2723 are directly supported in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics8 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002
Spearphishing Link
TA0003
Persistence
1 technique
T1098
Account Manipulation
T1098.003
Additional Cloud Roles
TA0004
Privilege Escalation
1 technique
T1098
Account Manipulation
T1098.003
Additional Cloud Roles
TA0006
Credential Access
1 technique
T1528
Steal Application Access Token
TA0010
Exfiltration
1 technique
T1020
Automated Exfiltration
IOCS

Observables

16 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

16 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
bleeping computerNews
Apr 1, 2026
New EvilTokens service fuels Microsoft device code phishing attacks

Referenced as a Russian threat group that has used device code phishing attacks to hijack Microsoft accounts.

Read more
cyber security newsNews
Dec 22, 2025
Hackers Using Phishing Tools to Access M365 Accounts via OAuth Device Code

TA2723 is a financially motivated threat group known for high-volume credential phishing campaigns, now leveraging OAuth device code phishing to compromise Microsoft 365 accounts.

Read more
cso onlineNews
Dec 22, 2025
Hackers exploit Microsoft OAuth device codes to hijack enterprise accounts

TA2723 is a financially motivated threat actor conducting high-volume credential phishing campaigns using device code phishing techniques, targeting users with salary and benefits-themed lures to gain access to Microsoft 365 accounts.

Read more
bleeping computerNews
Dec 19, 2025
Microsoft 365 accounts targeted in wave of OAuth phishing attacks

TA2723 is a financially motivated cybercriminal group known for high-volume credential phishing, recently adopting OAuth device code phishing techniques to compromise Microsoft 365 accounts.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables16

Domains, IPs, and hashes tied to this actor, refreshed continuously.