Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Summary:
Since early March 2025, Volexity has observed a phishing campaign carried out by at least two Russian threat actors, UTA0352 and UTA0355, targeting individuals and organizations with ties to Ukraine and human rights. These actors are leveraging legitimate Microsoft OAuth 2.0 authentication workflows to gain access to Microsoft 365 accounts through social engineering. Victims are initially contacted via Signal or WhatsApp by attackers impersonating European political officials or, in some cases, using compromised Ukrainian government accounts. The attackers invite targets to virtual meetings or events and provide links that direct to authentic Microsoft login pages. Victims are then asked to share the authorization codes generated during the login process, which the attackers use to generate access tokens and gain unauthorized access to emails and sensitive account data.
Security Officer Comments:
UTA0352 primarily uses Visual Studio Code-based redirects to obtain OAuth codes, often impersonating officials from Ukraine, Bulgaria, and Romania. Meanwhile, UTA0355 employs a more advanced technique involving the Microsoft Entra ID device registration process. By obtaining OAuth codes, UTA0355 registers attacker-controlled devices to victims' Microsoft Entra ID. Once the device is registered, the threat actor proceeds to manipulate two-factor authentication prompts, convincing the victim to approve access under the guise of joining a legitimate meeting or accessing shared content, thereby achieving persistent, stealthy access.
What sets these campaigns apart is their strategic use of Microsoft’s legitimate authentication infrastructure, which eliminates the need for attacker-controlled servers or malicious third-party applications. This makes traditional detection mechanisms less effective and adds a layer of perceived legitimacy to the attacks. Moreover, the campaigns rely heavily on real-time, one-on-one engagement with targets, marking a significant shift from broad, automated phishing strategies to more tailored, trust-driven social engineering
Suggested Corrections:
Organizations should prioritize user education and awareness. Since the campaign exploits legitimate Microsoft infrastructure and pre-approved first-party applications, traditional detection and prevention methods are less effective. Users should be trained to recognize suspicious outreach, especially unsolicited messages via secure apps like Signal or WhatsApp, and to never share URLs or authorization codes from Microsoft login pages. Additionally, implementing conditional access policies that limit access to only managed or approved devices can provide an added layer of protection and help prevent unauthorized device registration and data access.
Link(s):
https://www.volexity.com/blog/2025/...-actors-target-microsoft-365-oauth-workflows/
Since early March 2025, Volexity has observed a phishing campaign carried out by at least two Russian threat actors, UTA0352 and UTA0355, targeting individuals and organizations with ties to Ukraine and human rights. These actors are leveraging legitimate Microsoft OAuth 2.0 authentication workflows to gain access to Microsoft 365 accounts through social engineering. Victims are initially contacted via Signal or WhatsApp by attackers impersonating European political officials or, in some cases, using compromised Ukrainian government accounts. The attackers invite targets to virtual meetings or events and provide links that direct to authentic Microsoft login pages. Victims are then asked to share the authorization codes generated during the login process, which the attackers use to generate access tokens and gain unauthorized access to emails and sensitive account data.
Security Officer Comments:
UTA0352 primarily uses Visual Studio Code-based redirects to obtain OAuth codes, often impersonating officials from Ukraine, Bulgaria, and Romania. Meanwhile, UTA0355 employs a more advanced technique involving the Microsoft Entra ID device registration process. By obtaining OAuth codes, UTA0355 registers attacker-controlled devices to victims' Microsoft Entra ID. Once the device is registered, the threat actor proceeds to manipulate two-factor authentication prompts, convincing the victim to approve access under the guise of joining a legitimate meeting or accessing shared content, thereby achieving persistent, stealthy access.
What sets these campaigns apart is their strategic use of Microsoft’s legitimate authentication infrastructure, which eliminates the need for attacker-controlled servers or malicious third-party applications. This makes traditional detection mechanisms less effective and adds a layer of perceived legitimacy to the attacks. Moreover, the campaigns rely heavily on real-time, one-on-one engagement with targets, marking a significant shift from broad, automated phishing strategies to more tailored, trust-driven social engineering
Suggested Corrections:
Organizations should prioritize user education and awareness. Since the campaign exploits legitimate Microsoft infrastructure and pre-approved first-party applications, traditional detection and prevention methods are less effective. Users should be trained to recognize suspicious outreach, especially unsolicited messages via secure apps like Signal or WhatsApp, and to never share URLs or authorization codes from Microsoft login pages. Additionally, implementing conditional access policies that limit access to only managed or approved devices can provide an added layer of protection and help prevent unauthorized device registration and data access.
Link(s):
https://www.volexity.com/blog/2025/...-actors-target-microsoft-365-oauth-workflows/