Numerous suspects in Russia threatens “aggressively” focus on individuals and organizations related to Ukraine and human rights in order to obtain unauthorized access to Microsoft 365 accounts since the beginning of March 2025.
Highly focused Social Engineering Operations Phishing device code To achieve the same goals, which indicates that Russian opponents actively clarify their trading whim.
“These recently observed attacks are largely relying on the interaction of one-on-one for the purpose, as the actor threatens should convince them to move on the link and send back the code generated by Microsoft,”-researchers on Charlie Gardner’s security, Josh Duke, Matthew Meltser, Sean Kosel, Stephen Adir, – Note in an exhaustive analysis.
At least two different clusters threatened are tracked as Uta0352 and Uta0355 The attackers are evaluated, although the likelihood that they may also be associated with APT29, UTA0304 and UTA0307 was not excluded.
The latest set of attacks is characterized by the use of a new technique aimed at abuse of legal work processes on Microsoft Oauth 2.0 authentication. The threatening actors allocate officials from different European countries and, as it was found, used the violated Ukrainian government account, at least in one case, to deceive the victims in the Oauth code, which creates Microsoft to take control of its accounts.
Messaging applications such as Signal and WhatsApp are used to contact them, inviting them to join the video or register for private meetings with various national European political officials or at the upcoming events oriented to Ukraine. These efforts strive to press the links located on the Microsoft 365 infrastructure.
“When the goal responded to the messages, the conversation quickly moves toward the actual planning time to meet,” Volexity said. “As he approached the agreed time of the meeting, the alleged European political official again made contact and share the instructions on how to join the meeting.”
The instructions take the form of the document, after which the alleged official sends a link to the goal to join the meeting. All these URLs are redirected to the official entry portal to Microsoft 365.
In particular, the links are designed to redirect to the official URL Microsoft and generate a Microsoft Authorization token in the process that will then appear within the URI or within the redirect page. After that, the attack seeks to deceive the victim in a joint code of threat.
This is achieved by redirecting the authentified user to the Visual Studio Code browser to insiders.vscode (.) Dev where the token is displayed by the user. If the victim share the Oauth code, UTA0352 continues to generate access marker that ultimately allows you to access the M365 victim.
Volexity said there is also an earlier iteration company that redirects users to the Website “VScode Lovalhost IP -Drace (127.0.0.1).
“If this happens, instead of getting a user interface with authorization code, the code is only available in the URL,” the researchers explained. “This gives an empty page when you are displayed in the user’s browser. The attacker must request that the user shared the URL from his browser to get the attacker.”
Another social engineering attack, discovered in early April 2025, participated in the UTA0355, using the already compromised accounting email of the Ukrainian government to send e -mails to the target, then send messages to the signal and WhatsApp.
These reports have invited the goals to join the video conference related to Ukraine’s efforts regarding investment and harassment of “atrocities” and cooperation with international partners. Although the final intent of the activity coincides with the UTA0352, there is a significant difference.
The actors threatens, as in the other case, abuse the legitimate API authentication Microsoft 365 to access the victim’s email data. But the Oauth stolen Oauth authorization code is used to register a new device on the Microsoft Entra ID (previously Azure Active Directory).
In the next step, the attacker organizes the second round of social engineering to convince the targets to approve a two -factor request for authentication and steal the account.
“In this UTA0355 interaction, the victim has approved the request for two-factor authentication (2FA) to” access the SharePoint instance related to the conference, “said Volexity.
To identify and soften these attacks, organizations are advised to check recently registered devices, teach users about the risk -related messaging platforms, and implement conditional access policies that limit access to organizational resources only for approved or managed devices.
“These recent companies enjoy all the interactions of users that take place in Microsoft’s official infrastructure; these attacks do not use infrastructure that is not involved in the attackers,” the company added.
“Similarly, these attacks do not provide for malicious or controlled Oauth attackers, for which the user must clearly provide access (and thus can be easily blocked by organizations). The use of Microsoft first -person applications that already provide consent is proved that prevention and detection of this technique is quite difficult.”
