Ddos 
Image: Volexity
Volexity has identified a series of advanced social engineering operations by suspected Russian threat actors targeting Microsoft 365 (M365) OAuth authentication flows. The campaigns, which began in March 2025, represent a concerning evolution in phishing techniques—leveraging legitimate Microsoft authentication infrastructure to gain unauthorized access to victim accounts.
“Volexity is currently tracking what is believed to be at least two Russian threat actors, which it tracks as UTA0352 and UTA0355, that are behind these attacks,” the report states.
UTA0352 primarily uses secure messaging apps like Signal and WhatsApp to impersonate diplomats and government officials. Victims are invited to join fake video calls discussing sensitive topics—especially the conflict in Ukraine—and are sent Microsoft OAuth URLs as part of the ruse.
“The victim is asked to return the Microsoft-generated OAuth code back to the attacker… which ultimately allows access to the victim’s M365 account.”
In one example, targets received PDF instructions from the “Romanian Ministry of Foreign Affairs,” leading them to URLs like:
These links point to first-party Microsoft services, including Visual Studio Code, to extract OAuth authorization codes. Once obtained, these codes are exchanged for access tokens—providing full access to the victim’s M365 resources.
In these phishing flows, the attackers cleverly abuse legitimate features of Microsoft’s OAuth implementation. “Clicking the link alone would not be enough… The code would need to be supplied back to the attacker,” Volexity explains.
In one scenario, users were redirected to a VS Code interface designed to expose the OAuth code in the browser’s address bar or dialog window. This code, valid for up to 60 days, grants access to Microsoft Graph APIs, potentially exposing all emails, files, and collaboration data.
The second threat actor, UTA0355, used a more elaborate multi-stage approach. It started with emails sent from a compromised Ukrainian government account to NGOs and human rights advocates, followed by social engineering via messaging apps.
“This time, the campaign started with an email from a legitimate, compromised Ukrainian Government email account… followed by messages sent via Signal and WhatsApp.”
Instead of accessing Graph APIs directly, UTA0355 targeted the Device Registration Service in Microsoft Entra ID (formerly Azure AD), registering a new device to the victim’s identity.
After this, the attacker socially engineered the target to approve a 2FA request, giving full control over the email account. Post-compromise activity revealed the email contents were downloaded from the newly registered machine.
Volexity offers numerous recommendations to identify and mitigate these attacks:
- Alert on OAuth flows using client_id aebc6443-996d-45c2-90f0-388ff96faa56 with suspicious redirect URIs.
- Block access to insiders.vscode.dev and vscode-redirect.azurewebsites.net if feasible.
- Monitor for unusual device registrations in Microsoft Entra ID.
- Educate users about unsolicited contact through secure messaging apps.
- Implement conditional access policies restricting access to approved or managed devices.
Unlike conventional phishing that relies on fake websites or malware, these campaigns abuse first-party Microsoft infrastructure. The OAuth flow is technically legitimate, but users unknowingly grant attackers access by sharing sensitive tokens—a method harder to detect and even harder to defend against.
“The victim is only ever asked to interact with legitimate Microsoft 365 services, which users may inherently see as trustworthy,” Volexity warns.
Related Posts:
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- Volexity: Indian APT hacker organization Patchwork target US think tanks
- Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
- Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts
Donate