Russian APT UTA0355 Steals Microsoft 365 OAuth Tokens via Fake Security Conference Lures and WhatsApp Support

A sophisticated Russian threat actor, tracked as UTA0355, has launched a targeted phishing campaign impersonating prestigious international security conferences to steal credentials from high-profile victims. A new report from Volexity details how the group creates polished, fake websites for events like the Belgrade Security Conference and the Brussels Indo-Pacific Dialogue to trick users into granting unauthorized access to their Microsoft 365 accounts.

Unlike typical spray-and-pray phishing, UTA0355 employs a patient, high-touch strategy. The attackers often establish contact weeks in advance, posing as event organizers or colleagues to build rapport. “No malicious content is shared, at first. Only later is a phishing link sent, once the targeted user has confirmed their interest,” the report explains.

To further the deception, the threat actor offers “live support” via messaging apps like WhatsApp and Signal. This hands-on approach allows them to guide victims through complex authentication steps, bypassing suspicion. “The effort required to create websites that mimic real-world events, impersonate individuals associated with those events, and contact users directly on messaging applications demonstrates that UTA0355 is a well-resourced and capable threat actor.”

The core of the attack exploits Microsoft’s OAuth and Device Code authentication workflows. Instead of stealing a password directly, the attackers trick users into authorizing a malicious application or device to access their account.

When a victim attempts to “register” for a conference on one of the fake sites (such as bsc2025[.]org), they are redirected to a legitimate Microsoft login page. However, the workflow is manipulated to generate an authentication token for the attacker.

“The ‘registration’ workflow for both the BIPD and BSC events is reminiscent of real-world authentication workflows, where users are asked to perform SSO against various services,” Volexity notes. Once the user authenticates, the attacker gains a persistent token, allowing them to access emails and files without needing the user’s password again.

In a move that heightens the risk for organizations, UTA0355 has been observed using compromised accounts from within legitimate organizations to launch these attacks. “Using compromised accounts to send phishing content is a risky move for threat actors… [but] can lend credibility to an attack,” the report states.

This tactic makes the phishing emails nearly indistinguishable from legitimate correspondence, as they come from trusted domains and real individuals who may have previously corresponded with the victim.

Related Posts:

• Malicious Firefox Extensions Unmasked: Fake Games, VPNs, & Calendar Tools Hijack Traffic, Steal Crypto & OAuth Tokens
• Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
• Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks