CyberSecurity news
FlagThis
@www.volexity.com
//
Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes.
Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.
ImgSrc: www.volexity.co
References :
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes.
Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.
ImgSrc: www.volexity.co
Share:
References :
- cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
- securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
- www.volexity.com: Volexity blog on Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
- Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
- bsky.app: Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights.
- Security Risk Advisors: Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
- The DefendOps Diaries: Learn how cybercriminals exploit OAuth 2.0 to hijack Microsoft 365 accounts and discover strategies to mitigate these sophisticated threats.
- Email Security - Blog: Detailed analysis of the phishing technique.
- Virus Bulletin: Russian APTs targeting Ukraine supporters with sophisticated Microsoft 365 OAuth phishing.
- www.helpnetsecurity.com: Attackers phish OAuth codes, take over Microsoft 365 accounts
- gbhackers.com: Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations
- BleepingComputer: Russian hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
- Cyber Security News: CyberPress on Russian Hackers Abuse Microsoft OAuth 2.0 to Breach Organizations
- www.sentinelone.com: AI empowers organizations to optimize detection, Russia-nexus actors exploit MS OAuth workflows, and cybercrime hit $16B in losses in 2024.
- slashnext.com: Technical details and vulnerabilities highlighted.
- www.scworld.com: Explanation of the tool used in the attack.
Classification:
- HashTags: #OAuthPhishing #Microsoft365 #RussianAPT
- Company: Microsoft
- Target: Ukraine supporters and human rights organizations
- Attacker: Russian APT
- Product: Microsoft 365
- Feature: OAuth Authorization Code Theft
- Type: Phishing
- Severity: Major