Since early March 2025, multiple threat actors suspected to be linked to Russia have been aggressively targeting individuals and organizations associated with Ukraine and human rights initiatives. Their primary objective is to gain unauthorized access to Microsoft 365 accounts. This campaign marks a significant evolution from previous attacks that utilized device code phishing techniques, indicating a continuous refinement in the adversaries’ methods.
Security researchers from Volexity have identified at least two distinct threat clusters, designated as UTA0352 and UTA0355, as the primary actors behind these operations. However, there is a possibility that these clusters may be related to other known groups such as APT29, UTA0304, and UTA0307.
Sophisticated Social Engineering Tactics
The latest attacks are characterized by the exploitation of legitimate Microsoft OAuth 2.0 authentication workflows. The attackers impersonate officials from various European nations, and in some instances, have utilized compromised Ukrainian government accounts to enhance the credibility of their schemes. Their goal is to deceive targets into providing Microsoft-generated OAuth codes, thereby granting the attackers control over the victims’ accounts.
Communication platforms such as Signal and WhatsApp are employed to reach out to targets. The attackers invite them to join video calls or register for private meetings with European political figures or events focused on Ukraine. These invitations are designed to lure victims into clicking on links hosted within the Microsoft 365 infrastructure.
Upon engaging with the target, the conversation swiftly moves towards scheduling a meeting. As the agreed-upon time approaches, the impersonated official provides instructions on how to join the meeting. These instructions typically include a document followed by a link that redirects to the official Microsoft 365 login portal.
Exploitation of OAuth Codes
The provided links are crafted to redirect users to legitimate Microsoft URLs, generating a Microsoft Authorization Token in the process. This token appears either as part of the URL or within the body of the redirect page. The attackers then attempt to deceive the victim into sharing this OAuth code.
In one observed method, the authenticated user is redirected to an in-browser version of Visual Studio Code at insiders.vscode[.]dev, where the token is displayed. If the victim shares this OAuth code, the attackers can generate an access token, granting them unauthorized access to the victim’s Microsoft 365 account.
An earlier variant of this campaign involved redirecting users to the website vscode-redirect.azurewebsites[.]net, which subsequently redirected to the localhost IP address (127.0.0.1). In this scenario, instead of displaying the Authorization Code in the user interface, the code was embedded in the URL. This approach resulted in a blank page when rendered in the user’s browser, prompting the attacker to request the user to share the URL directly.
Implications and Recommendations
The sophistication of these attacks underscores the evolving nature of cyber threats and the importance of vigilance. Organizations and individuals, especially those connected to Ukraine and human rights causes, should be particularly cautious of unsolicited communications, even if they appear to originate from legitimate sources.
To mitigate the risk of such attacks, consider the following measures:
1. Enable Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security, making it more challenging for attackers to gain unauthorized access.
2. Verify Communication Sources: Always confirm the authenticity of unexpected communications, especially those requesting sensitive information or actions.
3. Educate and Train Staff: Regularly conduct training sessions to raise awareness about phishing tactics and social engineering methods.
4. Monitor Account Activity: Keep an eye on account activities for any unusual or unauthorized actions.
5. Limit OAuth Permissions: Restrict OAuth application permissions to only what is necessary, reducing the potential impact of a compromised token.
By adopting these practices, organizations can enhance their defenses against increasingly sophisticated cyber threats.
