CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
Russian threat actors are aggressively targeting individuals and organizations with ties to Ukraine and human rights, initiating these campaigns since early March 2025. Cybersecurity firm Volexity has uncovered sophisticated cyberattacks where these actors are exploiting Microsoft's OAuth 2.0 authentication workflows to gain unauthorized access to Microsoft 365 (M365) accounts. This marks a shift from previously observed attacks that utilized device code phishing, demonstrating the adversaries' continuous refinement of their tactics to evade detection. Volexity is tracking at least two suspected Russian threat actors, UTA0352 and UTA0355, believed to be behind these attacks, though a connection to APT29, UTA0304, and UTA0307 hasn't been ruled out.
These threat actors are employing highly targeted social engineering operations, impersonating officials from various European nations and, in one instance, leveraging a compromised Ukrainian Government account. They are using messaging apps like Signal and WhatsApp to contact potential victims, enticing them with invitations to join private meetings with European political figures or events related to Ukraine. These conversations are designed to lead victims to click links hosted on Microsoft 365 infrastructure, furthering the attack.
The primary tactic involves tricking victims into providing Microsoft Authorization codes, which the attackers then use to gain account access, join attacker-controlled devices to Entra ID, and download emails and other account-related data. In one observed technique associated with UTA0352, the attackers lure users into granting access via OAuth workflows tied to Visual Studio Code and other Microsoft applications, exploiting URLs that redirect through official Microsoft services. UTA0355 uses a multi-stage approach, starting with emails sent from a compromised Ukrainian government account followed by social engineering via messaging apps.
ImgSrc: blogger.googleu
References :
These threat actors are employing highly targeted social engineering operations, impersonating officials from various European nations and, in one instance, leveraging a compromised Ukrainian Government account. They are using messaging apps like Signal and WhatsApp to contact potential victims, enticing them with invitations to join private meetings with European political figures or events related to Ukraine. These conversations are designed to lead victims to click links hosted on Microsoft 365 infrastructure, furthering the attack.
The primary tactic involves tricking victims into providing Microsoft Authorization codes, which the attackers then use to gain account access, join attacker-controlled devices to Entra ID, and download emails and other account-related data. In one observed technique associated with UTA0352, the attackers lure users into granting access via OAuth workflows tied to Visual Studio Code and other Microsoft applications, exploiting URLs that redirect through official Microsoft services. UTA0355 uses a multi-stage approach, starting with emails sent from a compromised Ukrainian government account followed by social engineering via messaging apps.
ImgSrc: blogger.googleu
Share:
References :
- cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
- securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
- www.volexity.com: Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
- Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
Classification:
- HashTags: #MicrosoftOAuth #PhishingAttacks #Ukraine
- Company: Microsoft
- Target: Ukraine
- Product: Microsoft 365
- Feature: OAuth 2.0
- Type: Espionage
- Severity: Major