Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Cybercriminals
  • Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
  • Cybercriminals

Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks

Do Son April 24, 2025 3 minutes read
0
OAuth Phishing Microsoft 365 OAuth

Image: Volexity

Add Daily CyberSecurity as a preferred source on Google

Volexity has identified a series of advanced social engineering operations by suspected Russian threat actors targeting Microsoft 365 (M365) OAuth authentication flows. The campaigns, which began in March 2025, represent a concerning evolution in phishing techniques—leveraging legitimate Microsoft authentication infrastructure to gain unauthorized access to victim accounts.

“Volexity is currently tracking what is believed to be at least two Russian threat actors, which it tracks as UTA0352 and UTA0355, that are behind these attacks,” the report states.

UTA0352 primarily uses secure messaging apps like Signal and WhatsApp to impersonate diplomats and government officials. Victims are invited to join fake video calls discussing sensitive topics—especially the conflict in Ukraine—and are sent Microsoft OAuth URLs as part of the ruse.

Initial outreach messages sent by UTA0352 impersonating various identities on Signal (left) and WhatsApp (right) | Image: Volexity 

“The victim is asked to return the Microsoft-generated OAuth code back to the attacker… which ultimately allows access to the victim’s M365 account.”

In one example, targets received PDF instructions from the “Romanian Ministry of Foreign Affairs,” leading them to URLs like:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?...&redirect_uri=https://insiders.vscode.dev/redirect

These links point to first-party Microsoft services, including Visual Studio Code, to extract OAuth authorization codes. Once obtained, these codes are exchanged for access tokens—providing full access to the victim’s M365 resources.

In these phishing flows, the attackers cleverly abuse legitimate features of Microsoft’s OAuth implementation. “Clicking the link alone would not be enough… The code would need to be supplied back to the attacker,” Volexity explains.

In one scenario, users were redirected to a VS Code interface designed to expose the OAuth code in the browser’s address bar or dialog window. This code, valid for up to 60 days, grants access to Microsoft Graph APIs, potentially exposing all emails, files, and collaboration data.

The second threat actor, UTA0355, used a more elaborate multi-stage approach. It started with emails sent from a compromised Ukrainian government account to NGOs and human rights advocates, followed by social engineering via messaging apps.

“This time, the campaign started with an email from a legitimate, compromised Ukrainian Government email account… followed by messages sent via Signal and WhatsApp.”

Instead of accessing Graph APIs directly, UTA0355 targeted the Device Registration Service in Microsoft Entra ID (formerly Azure AD), registering a new device to the victim’s identity.

After this, the attacker socially engineered the target to approve a 2FA request, giving full control over the email account. Post-compromise activity revealed the email contents were downloaded from the newly registered machine.

Volexity offers numerous recommendations to identify and mitigate these attacks:

  • Alert on OAuth flows using client_id aebc6443-996d-45c2-90f0-388ff96faa56 with suspicious redirect URIs.
  • Block access to insiders.vscode.dev and vscode-redirect.azurewebsites.net if feasible.
  • Monitor for unusual device registrations in Microsoft Entra ID.
  • Educate users about unsolicited contact through secure messaging apps.
  • Implement conditional access policies restricting access to approved or managed devices.

Unlike conventional phishing that relies on fake websites or malware, these campaigns abuse first-party Microsoft infrastructure. The OAuth flow is technically legitimate, but users unknowingly grant attackers access by sharing sensitive tokens—a method harder to detect and even harder to defend against.

“The victim is only ever asked to interact with legitimate Microsoft 365 services, which users may inherently see as trustworthy,” Volexity warns.

Related Posts:

  • Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
  • Volexity: Indian APT hacker organization Patchwork target US think tanks
  • Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
  • Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • HelloTDS Unmasked: Covert Traffic System Funnels Millions to FakeCaptcha Malware!
  • Industrialized Theft: GoldFactory Malware Hijacks Tax Season via Fake ‘Coretax’ Apps
  • Fake Receipts, Real Damage: Group-IB Uncovers Fraud-as-a-Service Empire Behind MaisonReceipts
  • Anatomy of an Attack: New Report Exposes Ukrainian Networks Fueling Global Brute-Force Campaigns
  • Larva-24005: Kimsuky’s Global Cyber Espionage Campaign Exploits RDP and Office Flaws
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Account Takeover cyber-espionage cybersecurity Entra ID Microsoft 365 OAuth OAuth Abuse OAuth Phishing phishing Russian APT Russian threat actors social engineering UTA0352 UTA0355 Volexity

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-56271CVSS 9.8
    Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default...
  • CVE-2026-56260CVSS 9.1
    Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker...
  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.