Ddos 
Image: Volexity
Volexity has identified a series of advanced social engineering operations by suspected Russian threat actors targeting Microsoft 365 (M365) OAuth authentication flows. The campaigns, which began in March 2025, represent a concerning evolution in phishing techniquesβleveraging legitimate Microsoft authentication infrastructure to gain unauthorized access to victim accounts.
βVolexity is currently tracking what is believed to be at least two Russian threat actors, which it tracks as UTA0352 and UTA0355, that are behind these attacks,β the report states.
UTA0352 primarily uses secure messaging apps like Signal and WhatsApp to impersonate diplomats and government officials. Victims are invited to join fake video calls discussing sensitive topicsβespecially the conflict in Ukraineβand are sent Microsoft OAuth URLs as part of the ruse.
βThe victim is asked to return the Microsoft-generated OAuth code back to the attacker… which ultimately allows access to the victimβs M365 account.β
In one example, targets received PDF instructions from the “Romanian Ministry of Foreign Affairs,” leading them to URLs like:
These links point to first-party Microsoft services, including Visual Studio Code, to extract OAuth authorization codes. Once obtained, these codes are exchanged for access tokensβproviding full access to the victimβs M365 resources.
In these phishing flows, the attackers cleverly abuse legitimate features of Microsoftβs OAuth implementation. βClicking the link alone would not be enough… The code would need to be supplied back to the attacker,β Volexity explains.
In one scenario, users were redirected to a VS Code interface designed to expose the OAuth code in the browserβs address bar or dialog window. This code, valid for up to 60 days, grants access to Microsoft Graph APIs, potentially exposing all emails, files, and collaboration data.
The second threat actor, UTA0355, used a more elaborate multi-stage approach. It started with emails sent from a compromised Ukrainian government account to NGOs and human rights advocates, followed by social engineering via messaging apps.
βThis time, the campaign started with an email from a legitimate, compromised Ukrainian Government email account… followed by messages sent via Signal and WhatsApp.β
Instead of accessing Graph APIs directly, UTA0355 targeted the Device Registration Service in Microsoft Entra ID (formerly Azure AD), registering a new device to the victimβs identity.
After this, the attacker socially engineered the target to approve a 2FA request, giving full control over the email account. Post-compromise activity revealed the email contents were downloaded from the newly registered machine.
Volexity offers numerous recommendations to identify and mitigate these attacks:
- Alert on OAuth flows using client_id aebc6443-996d-45c2-90f0-388ff96faa56 with suspicious redirect URIs.
- Block access to insiders.vscode.dev and vscode-redirect.azurewebsites.net if feasible.
- Monitor for unusual device registrations in Microsoft Entra ID.
- Educate users about unsolicited contact through secure messaging apps.
- Implement conditional access policies restricting access to approved or managed devices.
Unlike conventional phishing that relies on fake websites or malware, these campaigns abuse first-party Microsoft infrastructure. The OAuth flow is technically legitimate, but users unknowingly grant attackers access by sharing sensitive tokensβa method harder to detect and even harder to defend against.
βThe victim is only ever asked to interact with legitimate Microsoft 365 services, which users may inherently see as trustworthy,β Volexity warns.
Related Posts:
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- Volexity: Indian APT hacker organization Patchwork target US think tanks
- Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
- Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
