Summary: Russian threat actors are exploiting OAuth 2.0 workflows to compromise Microsoft 365 accounts of individuals connected to Ukraine and human rights. They impersonate European officials and communicate through secure messaging apps to trick users into revealing sensitive authentication codes. Cybersecurity firm Volexity has identified two distinct campaigns attributed to these attackers, labeled UTA0352 and UTA0355, and outlined how they operate their phishing attacks effectively.
Affected: Microsoft 365 accounts in organizations related to Ukraine and human rights
Keypoints :
- Threat actors impersonate officials and use messaging platforms to obtain OAuth authorization codes.
- Attackers send phishing URLs under the guise of joining video calls to collect login credentials.
- Volexity recommends creating alerts for logins via Visual Studio Code and restricting access to specific domains to mitigate these attacks.