Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
These campaigns, tracked as the work of groups UTA0352 and UTA0355, have targeted NGOs, think tanks, and human rights organizations particularly those engaged with Ukrainian issues leveraging technical and social engineering techniques to gain unauthorized access to Microsoft 365 (M365) accounts.
After a reduction in device code authentication phishing attacks observed earlier in the year, the attackers have pivoted to exploiting alternative OAuth 2.0 flows associated with legitimate first-party Microsoft applications.
The methodology hinges on personalized interactions: attackers initiate contact via secure messaging platforms such as Signal and WhatsApp, posing as European political officials or NGO representatives.
They invite targets to discuss sensitive topics typically the conflict in Ukraine under the pretext of arranging high-level meetings.
As part of the ruse, the victim receives a seemingly innocuous link to what appears to be an official Microsoft login page hosted at login.microsoftonline.com.
The malicious ingenuity lies in the subsequent request: after the victim authenticates, the page produces a Microsoft-generated authorization code.
The attacker, still masquerading as a legitimate contact, then requests the victim to send this code (often under the pretense of verifying attendance).
Once in possession, the attacker exchanges the authorization code for an access token, thus obtaining unfettered access to the victim’s M365 account.
Technical Variants: Abuse of OAuth and Entra ID
Volexity details two primary variations of the attack. In the first, UTA0352 lures users into granting access via OAuth workflows tied to Visual Studio Code and other Microsoft applications, exploiting URLs such as https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize with manipulated parameters.
The process may involve custom-crafted PDF instructions and redirections through insiders.vscode.dev, further obfuscating the attack’s intent.
The authorization code valid for up to 60 days provides extensive access to user data through the Microsoft Graph API, with the victim’s consent obfuscated by the use of official Microsoft infrastructure.
In a related but distinct campaign attributed to UTA0355, the attackers utilize compromised Ukrainian government email accounts to initiate contact, followed by direct messaging.
Here, the OAuth workflow targets Microsoft’s Device Registration Service (Entra ID), with the attacker registering a new device to the victim’s Azure AD environment.
This not only provides persistent access but also enables the attacker to request further multi-factor authentication approval, cementing their foothold in the victim’s organizational ecosystem.
The entire interaction presents as a legitimate Microsoft authentication flow, making detection and prevention challenging for users and security teams alike.
Detection, Prevention, and Persistent Threats
These campaigns are particularly difficult to detect, as all user activity occurs on official Microsoft pages and leverages trusted applications with existing consent.
Volexity recommends organizations monitor for unusual login activity involving specific Visual Studio Code client_id values, analyze registration events for new devices within Entra ID, and educate users on the dangers of sharing authentication codes or URLs even when requested via secure messaging apps.
The attackers’ ability to bypass traditional security controls, combined with the increasing reliance of NGOs and humanitarian organizations on M365 for sensitive communications, underscores the critical need for enhanced security awareness and technical vigilance.
As budget and resource constraints persist in these sectors, the risk posed by such advanced social engineering and OAuth abuse is expected to grow.
Volexity assesses with medium confidence that UTA0352 and UTA0355 are Russian-affiliated groups, based on their targeting profile and the continuity of techniques observed since early 2025.
The evolving nature of their attacks highlights the need for organizations to remain alert to novel OAuth-based intrusions and to promptly update incident response strategies mitigating this persistent and technically adept threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
