CyberSecurity news
FlagThis - #microsoft365
|
@www.volexity.com
//
Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes. Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.
Share:
References :
Classification:
@www.bleepingcomputer.com
//
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.
Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions. When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely.
Share:
References :
Classification:
@www.microsoft.com
//
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
Share:
References :
Classification:
|